What are the critical aspects of security in HASHWallet?

eSignus
eSignus
Oct 25 · 5 min read
HASHWallet, the most secure hardware wallet for cryptocurrency.
HASHWallet, the most secure hardware wallet for cryptocurrency.

HASHWallet is a solution designed to provide the highest level of security in the custody and validation of crypto actives transactions. There are two keys that, separately, make this card the safest device possible.

The first is to be WYSIWYS, the acronym for “What You See Is What You Sign.” We sign what we see in a large screen, but without relying on intermediaries as all other platforms do. The underlying idea is not to rely on an elaborate system but a straightforward one, and to ensure that all security is in the device itself, not in a system. This way of working eliminates the security problem that is the Achilles heel of the other solutions, the so-called “Man in the Middle” attack.

The second is to be a non-programmable device. It will be a bit less flexible device since it won’t be upgradeable, but this particular feature makes it invulnerable to external attacks.

Being a non-programmable device, HASHWallet will receive an altered operation. If it does not match the one emitted by the smartphone, it will not be signed. We sign what we see

Examples of operations without these security levels

Let’s look at a couple of known systems to analyze how these two features impact your security.

First, let’s think about the security of the credit card system performed face-to-face. There are six participants: the user, the credit card, the dataphone, the dataphone operator, the transmission channel and the information processor.

In this case:
- The dataphone operator types the transaction.
- The user places his credit card in the dataphone and types his PIN.
- The dataphone interrogates the card and asks if your PIN is correct.
- If the device says ‘yes’ and the operation is online, it consults the processor.
- The processor accepts or rejects the transaction.
- The dataphone receives acceptance or rejection and informs the operator and the user.

This operation is not WYSIWYS because we are accepting an action that we do not know, there is simply a number on a screen, nor is it done on a non-programmable device. Let’s see all the unknowns that this generates:
When the user types his PIN, he trusts that the number on the dataphone screen is the same that will be sent to the processor. It’s perceived security, but the user doesn’t know that he is authorizing. Besides, the device is upgradeable, and it could be a corrupt dataphone.

All participants trust that nobody is going to interfere in the operation or modify it. But we don’t enter the amounts or the PIN on the card or the operator, but on a dataphone, which is an intermediate device beyond the control of the user. Besides, the communication channel is not secure either. Also, the user trusts that the PIN he typed into the dataphone will not be stored, but is not guaranteed as it’s not a non-programmable device.

If the card uses the magnetic stripe, the user is confident that his card won’t be cloned (this problem is avoided with the disuse of the magnetic stripe), as it’s not a non-programmable device.

In short, none of the participants is in control of security; there are too many spaces for insecurity since any of these points can be modified or copied. Except for the last point, it is the same even if we use EMV or NFC cards.

Indeed, this type of operation is old, and we hope that the improvement of the systems will avoid these problems.

Let’s take a look at an operation in crypto-assets with a hardware wallet, a more modern system. These are the steps with a procedure performed on a Ledger or a Trezor device.

We enter the application on the computer and select the operation we want to perform, select the recipient of the funds and the currency to be transferred.
Then, we connect our hardware wallet via USB or Bluetooth.

The information is transferred to a device that we have previously unlocked and is automatically signed. As this information is already signed, it cannot be altered. But did we sign what we wanted?

The weak point of all these systems is that the user checks the operation on the computer screen. But how to be sure that we are signing the right information? The answer is simple: we cannot know until we‘ve signed it, and then it may be too late.

How can the platform be corrupted?
It is not necessary to access the hardware wallet to corrupt the platform; it is required to act on the computer application, either directly or by overlapping. In other words, we modify the app so that it sends to the hardware wallet a different transaction, or we’ve got a layer that makes us type what we want. Still, the crackers introduce another operation in the correct application.

Another option, more complex but theoretically possible, would be the intervention of the channel between the application and the communications port, modifying the transaction to sign.

All this is possible since the operation is not WYSIWYS: we do not sign what we are seeing, but we trust that nobody corrupts the information and that there are no modifications in the transfer.

Would there be other ways to corrupt it?
Another way much more complicated but theoretically possible would be the reprogramming of the hardware wallet to sign unwanted operations. For that purpose, it would be necessary to know the way of programming the wallet, get the device to accept an update and load it.

How to perform an operation with HASHWallet?
We select the currency in the HASH Control App, either on a computer or on a smartphone. It is requested to send it to the HASHWallet device, which has to be turned on and active, so we can check the transaction on the large e-ink screen. The signature is secure as it’s performed on a reliable device.

What happens if someone intercepts the transaction via Bluetooth listening?
If it were not encrypted, we would be leaving the transaction visible.

What happens if the application on our computer or smartphone is cracked?
A different operation will be sent to HASHwallet; as the device is WYSIWYS, it will abort the false operation without signing it.

eSignus

Written by

eSignus

eSignus is a consultancy firm experienced in the financial, technology and crypto security sectors. We run HASHWallet, the most secure hardwallet in the market.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade