How To Compromise A Cryptocurrency Hardware Wallet
A few years ago, I was speaking at an event related to crypto-tokens and the topic of security arose. One common theme I noticed immediately involved security. I heard the phrase “if it’s not your keys, it’s not your tokens” numerous times during that evening. When a few audience members asked for specifics about this phrase and what it meant, crypto-token fanatics suggested hardware wallets because they had “perfect security” to use their term. I cautioned everyone that nothing in the digital world was secure, including hardware wallets. Once we understand how the digital world works, we can immediately take action to start attacking it. Hackers have done this in numerous areas and will continue.
In How To Compromise A Cryptocurrency Hardware Wallet, I cover an example of how researchers at Kaspersky were able to compromise hardware wallets. These are only a few techniques. Privately, I know security researchers who have found other ways. Hackers, if they haven’t already, will be next. What we can learn from this is that ignorance is not a security technique. Just because we don’t know how something can be done doesn’t mean it can’t be done.
As a quick note on hardware wallets: just like there are newer and newer ways to attack air gapped machines (machines not connected to the internet), there will be newer and newer ways to attack hardware wallets. But this doesn’t only apply to hardware wallets. Some security practices involve physical devices that can also be compromised when studied. As these grow in use, the rewards for attacking them grow.
Some important considerations in the discussion:
- With anything involving tech and security, what is a question that we should consider that I mention early in the video?
- How can we apply this question to topics which may make us feel uncomfortable or uncertain and what is it about our present behavior that makes us feel uncomfortable?
- What is wrong with the two lines of thinking — “It’s safe because I don’t know” and “It’s safe because it hasn’t been done before”? In what other areas of security are these lines of thinking dangerous?
- When it comes to security, how can we apply “what people want to know” versus “what is actually true” and what are some action steps we can take to ensure we’re not doing the same thing?
- What is one counterparty risk of the digital world and how are your actions in the digital world taking this into account?
That last question is the most important question that you should consider. While we may not consider what others are doing in our actions, we have to understand that all actions that rely on others are subject to significant risks. In the context of security, an example of this may be providing companies with our data while we assume these companies are keeping our data safe. Yet, as we’ve seen very recently, both Facebook and LinkedIn had leaks of PII and linkability information and these occur regularly when we consider all the leaks of PII data in the last year.
Just like everyone else, we all tend to think that we’re the exception (or that we’ll be the exception) to the rule when the opposite is true. We’re not exceptions and we’re not exceptional. This thinking helps protect us because it helps us consider the risk that we may not be considering. In addition, when our security involves others, everything we do is not enough because our security involves the actions of others. This is the digital world in a nutshell, but on steroids as security in the digital world often involves multiple actors.
Take the actions of the Solar Winds compromise. Imagine that you were a database administrator who had managed to keep your environment perfectly secure, yet a tool that you used (Solar Winds in this case) was compromised. No matter how perfect your security was, the tool you used was compromised. Thus, it didn’t matter that you practiced good security. However, most people will stop here and this isn’t the place to stop. We have to consider that any weak point of a company, tools that the company uses, or talent of the company can be compromised (or worse, spoofed). Something as simple as a .NET or Python library or an electronic device that allows digital extraction of information may give a hacker all he needs to compromise our environment. Thus, even an individual’s security in the digital world means nothing.
Speaking of cybersecurity, in Automating ETL we’re talking ETL in the context of security this year. Each month features a new lesson on security while we consider our design. As the world of data grows, expect more attacks and compromises to occur. We look at specific strategies and overall architecture which can help us overcome these challenges. For a coupon to the course, check out the trailer video on the channel SQL In Six Minutes.