Ensuring the safety of crypto assets: a closer look at crypto hardware wallet audits

Audits of crypto hardware wallets significantly reduce the risk of critical vulnerabilities, safeguarding both user funds and the crypto wallet’s reputation.

Malicious actors constantly advance their tactics, developing elaborate attacks to exploit even the most secure systems. A single undetected vulnerability can lead to devastating losses and leave users exposed. By undergoing security audits, crypto wallets demonstrate their commitment to user safety and transparency. It’s a proactive step that helps to build trust within the community, assuring users that multiple layers of security protect their crypto assets.

However, a report from the cybersecurity certification platform CER in 2023 dropped a worrying stat: about 70% of crypto wallets are vulnerable, with only 13.3% having undergone penetration testing to uncover security flaws. And of those, only half had tested their latest product versions. These numbers reveal a big gap in security measures, leaving users wide open to attacks.

While hardware wallets provide extra security by keeping private keys offline, they’re not foolproof. The Ledger Connect Kit incident in December 2023 was a stark reminder of that. In that breach, malicious code was injected into a software library used to link dApps to wallets, fooling users into signing off on transactions that emptied their wallets. Though the attack was spotted and halted quickly, and only a small group of users got hit, it underscored the importance of rigorous audits for hardware wallets too.

The main types of crypto hardware wallet vulnerabilities

Crypto hardware wallet audits are systematic examinations conducted by independent third parties to assess the security, reliability, and integrity of the wallets. They involve a thorough check of various aspects of the wallet, each with its own set of vulnerabilities, including architectural, firmware, software, hardware, and physical vulnerabilities.

• Architectural vulnerabilities refer to inherent design flaws requiring a major hardware revision.
• Firmware vulnerabilities affect the software running on the device and can be patched through firmware updates.
• Software vulnerabilities impact the host software connecting to the wallet and can also be addressed through software updates.
• Hardware vulnerabilities arise from incorrect hardware configurations and might require a new hardware revision.
• Physical vulnerabilities relate to the design of the hardware wallet itself, necessitating a new hardware revision for mitigation.

Understanding crypto hardware wallets audit processes

• Architectural analysis/design review. A crypto hardware wallet audit starts with a high-level review of the wallet’s architectural design, focusing on the interfaces and communications between the host and the device. This phase aims to identify unsecured data transmissions that could compromise user security, establishing a foundational threat model that informs subsequent analyses.
• Wallet architecture report. A report of this kind features a comprehensive threat model that considers all aspects of the wallet’s operation, including its interactions with desktop or mobile applications. Findings from this stage prioritize vulnerabilities based on their severity and propose architectural enhancements to mitigate identified risks.
• Firmware and software analysis. A thorough examination of the wallet’s firmware and software to identify specific vulnerabilities. At this stage, mitigation strategies are proposed to minimize or eliminate the risks posed by identified vulnerabilities, ensuring the wallet’s software integrity.

The entire process can be integrated into the development process of the wallet. Each vulnerability discovered in this manner is assessed and validated for applicability and severity. Effective mitigation strategies are then proposed and implemented. This constant back-and-forth ensures that every potential weakness is thoroughly tackled, resulting in a wallet that emerges from the crypto hardware wallet audit process stronger and more resilient than before.

Prioritizing security with the 1inch Hardware Wallet

The 1inch Hardware Wallet team heavily focuses on security. When we planned to attract an independent third party to our project, we conducted extensive research, and based on the results, we chose KeyLabs, the leader in crypto hardware wallet audits.

This step was incredibly beneficial for us for a simple reason: at the moment, we’re not just handing over ready-made devices for audits. Instead, we’re coordinating all aspects of hardware, firmware, and security design as they are implemented. In other words, even before we start working on the code, there’s an architecture audit of our architecture. It’s incredibly rewarding to undergo verification even before writing the code because it boosts our confidence and greatly helps us avoid potential mistakes that could arise after receiving a security report.

This includes a detailed examination of how the microcontroller interacts with the secure element, the methods used for deploying updates, firmware signatures, and the cryptography behind the entire system. KeyLabs doesn’t believe in one-size-fits-all solutions. They work closely with us to understand the unique intricacies of our product, tailoring their audit process to address our specific needs and concerns. These crypto hardware wallet audits are key to making sure our setup is rock-solid, and we stick to the best practices in the biz.

So, why KeyLabs?

KeyLabs is best known for its 2018 wallet.fail presentation at 35c3. This presentation on wallet security, a first of its kind, revealed multiple vulnerabilities in the popular crypto hardware wallets at the time, namely the Trezor, Ledger, and KeepKey. Since then, KeyLabs has continued to audit crypto hardware wallets and cold storage solutions, often reviewing multiple wallets in parallel. This approach ensures that KeyLabs assists new crypto hardware wallets in avoiding common pitfalls encountered by leading wallets in the market.

Seed extraction against the Trezor by Dr.-Ing. Dmitry Nedospasov of Keylabs

Proprietary glitching setup for testing

Moreover, this step carries immense significance for us, especially from the standpoint of our community and investors. It epitomizes our steadfast commitment to delivering on our promises to users, with security reigning as our foremost priority. We underscore security as not only the cornerstone value but also the mission of our project and all products within the 1inch network ecosystem. Hence, when we affirm that our initiatives, from inception to execution, undergo immediate scrutiny by a crypto hardware wallet audit company under the vigilant oversight of security experts, it reaffirms our unwavering dedication to user security. This meticulous process serves as a robust form of quality control, ensuring that we meticulously review our actions twice over.

Furthermore, we’re also taking steps to implement verification of our supply chain to guarantee that the manufacturing process, firmware installation, and verification mechanisms are protected from external threats. Keylabs are documenting every finding, ensuring that any identified vulnerabilities are verified, their impact is assessed, and offering recommendations for addressing them.

The 1inch Hardware Wallet emphasizes its dedication to transparency and security by committing to publishing the final crypto hardware audit results. This ensures that the community and users are fully informed about the wallet’s security features. With KeyLabs by our side, we’re confident that our product will not only meet but exceed the highest security standards.

Crypto hardware wallet audits are absolutely essential in today’s crypto landscape, which is rife with numerous threats. That’s precisely why teaming up with KeyLabs for security was the right decision from the get-go.

As part of our commitment to being transparent and trustworthy, we’re gonna get another audit done by another independent third party to further validate these results. This shows how serious we are about supporting open-source stuff and making sure our hardware wallet is super secure and reliable. Oh, and you bet we’re gonna kick off a bug bounty program too! It’s all about getting the community involved and making sure we’re on top of any potential issues

With limited spots on the waiting list, there’s no reason to wait — grab your spot now and join the 1inch Hardware Wallet. From exclusive loot boxes to first dibs on beta testing, only for early birds!

Join the waitlist and Stay connected with us!

Website: https://hw.1inch.io/
Twitter: https://twitter.com/1inchHW
Discord: https://discord.gg/eFudQjaemy
Telegram Announcement Channel: https://t.me/OneInchHW
Medium: https://medium.com/@OneInchHW
LinkedIn: https://www.linkedin.com/company/hwlt