Hardware crypto wallets have a potential loophole, which real-time monitoring and intelligence can fix
Crypto hackers are giving digital assets a bad name. Even when you think wallets and exchanges should be safe in 2019, there have still been recent cases of crypto heists involving millions of dollars. Just in September, the Fusion Foundation lost around $3.5 million worth in tokens to perpetrators, for instance.
Cointelegraph lists five of the worst hacks that have involved hundreds of millions of dollars stolen. The most famous or infamous of these heists involve Mt. Gox, which was one of the most popular exchanges of its time, processing around 70 percent of the world’s transactions. At least $460 million was stolen from the platform from 2011 to 2014.
“Hot” wallets have not been the only target of attacks, as even Mt. Gox’s “cold” wallets — or wallets not connected online — were also breached. This means that while offline or hardware wallets are supposedly harder to steal from, there is still some potential risk, especially if it involves weak links along the chain of security.
“One and the most important goal of a hardware wallet is to protect the private keys from the remote attack. So the moment the hardware wallet gets connected to the PC that has internet access or is accessible by attacker any other way (a compromised PC), there is a chance something may go wrong,” says Anatoly Ressin, Chief Blockchain Architect at blockchain analytics and intelligence company PARSIQ.
Ye Fei, Chief Technology Officer at Beijing ColdLar Information Technology Co., Ltd. (ColdLar), shares that the risk mostly involves other parties gaining access to private keys: “When we talk about security, there is a concept called a Security Boundary. Currently if the hackers get the hardware wallet device in hand, the performance of different hardware wallets varies greatly in terms of whether the private key is still safe, the probability of being cracked, and the cost. In general, a security chip or a strong password (BIP39 password) is badly needed.”
Best practices in keeping hardware wallets safe
According to Ye Fei, one of the best practices in ensuring the security of one’s hardware wallet is being able to keep such assets closely guarded: “It is always essential to know your asset dynamics, especially when storing large assets and multi-currency assets. For instance, current wallets basically applies HD (Hierarchical Deterministic) solution and a set of mnemonics to manage all assets.”
He says that even if hardware wallets are “cold”, there could still be a risk that perpetrators could somehow gain access to private keys. In this case, real-time monitoring and notifications will play a part in better securing one’s digital assets. “Theoretically speaking, in an extreme situation, the leakage of one address may lead to the leakage of all the other addresses. With the help of real-time monitoring and analytic systems, once the leakage of one address is discovered, you can transfer all the other assets in time to reduce losses.”
“Active blockchain monitoring features can definitely provide additional security to users and ensure transparency of transactions,” says Ressin. “Notifications and additional transaction information can be provided in real-time, allowing deeper insights during the transaction process and potentially allowing to react to certain transactions accordingly when time is of essence.”
Another risk is the loss of one’s password or recovery seed, which renders a hardware wallet useless in the event of such loss. “This also means that in situations where the user has not properly kept their seed safe, they won’t be able to retrieve lost assets because nobody else has it,” says Michael Ou, Founder and CEO of CoolBitX, a blockchain security company whose infrastructure aims to close the gap between the mainstream market and crypto industry.
Here, users need to exercise prudence in handling their wallets. “For that reason, it’s been our ongoing mission to educate users the importance to store your recovery seed somewhere safe. You are in total control of your private keys, but you will also need to bear the potential consequences of not taking the necessary measures of keeping the recovery seed,” Ou adds.
Edmund Lowell, Visionary and Head of Product at authentication platform Selfkey, agrees: “If the seedphrase is lost, there is probably no way to recover the wallet. If the seedphrase is, on the other hand, adequately protected (usually by splitting the seed and storing it securely in several locations) — most wallets can be regenerated from seed phrase on a new device. So even if a hardware device is lost, it could be recovered from this phrase.”
Establishing standards will be necessary to better protect users
Experts agree that regulation and better standards can encourage better trust in the cryptocurrency ecosystem, and establishing real-time monitoring solutions will play a part in this.
Ye Fei says there is always an opportunity for improvement, especially in the user interface of hardware wallets: “Currently the functional definition of hardware wallet is still improving. What kind of hardware wallet is preferred by users is still a mystery. Meanwhile, there are still many difficult problems to be solved, such as the backup of mnemonic, design of password strength, and the password recovery mechanism, etc.”
Ressin is optimistic with how hardware wallets can evolve to be smarter: “We will see additional layers added for example like the one giving the ability to be notified about transactions involving crypto assets secured on their cold wallet device, without compromising their security since the private keys are kept secure in the hardware.”
Ou agrees: “From our point of view, we do feel that in order to accomplish the overall industry’s goal of cryptocurrency mass adoption, an additional layer of security such as monitoring and analytics can prevent the multiple bad actors in the space, eventually making it more secure.”
