Open in app

Sign in

Write

Sign in

A tale on supply chain attacks and why not order with your real address

This is a series with five blog posts under the title hardware wallet versus software wallet

Damilola Debel
AirGap
Published in
4 min readJul 6, 2021

--

Security has always been one of the major concerns in the crypto space. In this blog post, we will be looking at supply chain attacks and the Ledger data leak that occurred in 2020, which exposed the personal information of about one million crypto wallet buyers, and how you can prevent yourself from being caught in this kind of scenario.

What is a supply chain?

The set of activities involved in the processing and movement of products or services from the producer to the user is known as the supply chain. It can also be described as the manufacturing chain which gets a product from the beginning to the end of its life cycle. This entails the product components, suppliers, manufacturers, vendors, distributors, customers, and users.

What is a supply chain attack?

At various points in the supply chain, an attacker can target any of the insecure points. This process is known as the supply chain attack. This is very appealing to hackers because they can tamper with many devices at once and may not require any further interaction with such devices. One of the reasons this works so well is that we appear to trust what we receive from our supplier, not understanding that somewhere down the chain, an attack occurred, which may harm us or the device or services we are ordering.

One example of a supply chain breach was published by news.bitcoin.com where a man’s life savings was stolen from a hardware wallet supplied by a reseller. This kind of attack and many others will continue to be in the crypto space. Bringing it to your awareness takes you one more step away from being a victim.

Though not a supply chain attack, related to it was a data leak that occurred in 2020 with ledger, a popular producer of hardware wallets. This breach exposed a large amount of data and personal information of customers, including phone numbers and physical addresses. The leak involved one million emails from wallet owners and clients who have signed up for the newsletter service of the company. Although this breach has no direct impact on the security of the hardware wallet, the app, or funds, the attack led to some issues, which are listed below:

Breach of personal information: When ordering a ledger, the buyers are usually required to fill in personal/contact information such as name, phone number, email, and physical address. The leak exposed this detailed information of about two hundred and seventy thousand customers. Those details included all the information they were required to fill while making an order (phone number, email, and physical address). To protect against this, users on Reddit recommend ordering anything crypto-related with fake credentials.

Funds were lost: Some days after the database was leaked, generic spam emails began to be sent, stating they were “compromised” and instantly had to verify if their seed was stolen by accessing an online website where the seed had to be entered. Such scams may look very authentic since the attackers had not only the email addresses but also the customer’s name and address. So they could send emails like “We sent you a ledger to your address XXX, which was part of a shipment of ledgers that were compromised”. With such detailed information contained in the email, users were likely to be less suspicious and those who fell for this trick most likely lost their funds.

Threats of kidnapping and boggling: After the breach, some people reported receiving threats about attackers entering their home and hurting their family members unless they sent some coins to a certain address. These people now have to live in constant fear of someone breaking into their house and trying to steal their seed backup.

This and many other factors are the reason why we advise users not to order a hardware wallet with details such as their home address.

Better and secure alternative

Supply chain attacks are an obvious problem not only specific to hardware wallets but also software wallets. We at AirGap are well aware of this and have put in place measures that limit the likelihood of a supply chain attack to the bare minimum, if not eliminated.

  • All AirGap components are subjected to several security audits by third-party security professionals to prevent this kind of attack and other related ones.
  • The Vault app that stores the private key never connects to the internet, so if for whatever reason an attack occurs, which is very unlikely with our solution, your private key stays within the device and never gets sent over the internet.
  • You get to choose the device(phone) you want to install our apps, so it is practically impossible to target the supply chain of every phone.

In a situation similar to the Ledger data leak, AirGap completely removes the risk of such an attack because user’s personal information is not needed to access our applications. This places us steps ahead of hardware wallets as we offer a more secure solution to safeguard not only your asset but also your privacy.

Download

AirGap Wallet
📱 iOS — App Store
📱 Android — Google Play (GitHub APK)

💻 macOS
💻 Windows
💻 Linux

AirGap Vault
📱 iOS — App Store
📱 Android — Google Play (GitHub APK)

Interested in AirGap? Stay in touch. give us feedback

Telegram | GitHub | Website | Twitter | Reddit | Discord

Supply Chain
Supply Chain Attack
Software Wallet
Hardware Wallet
Ledger

--

--

Damilola Debel
AirGap

Written by Damilola Debel

24 Followers
Editor for

https://twitter.com/DdammyS

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams