Casa has just rolled out radio wave-screening “Faraday bags” as the ultimate cypherpunk accessory for bitcoin hardware wallets.
EU hardware wallet manufacturer Trezor has responded to a report from its competitor Ledger that described vulnerabilities in Trezor’s devices.
Trezor claims that none of the weaknesses revealed by Ledger in a detailed report on March 10, are critical for hardware wallets. As per Trezor, none of them can be exploited remotely, as the attacks described require “physical access to the device, specialized equipment, time, and technical expertise.”
Trezor further cites the results of a recent security survey performed in partnership with major cryptocurrency exchange Binance. According to the survey, only around 6 percent of respondents believe that physical attack is the biggest threat to their crypto funds, while 66 percent claim they consider remote attacks a main problem.
Furthermore, Trezor noted that a “$5 wrench attack” — a targeted theft when the user is forced by intruders to disclose his password — cannot be prevented by a hardware barrier set by the manufacturer. Nonetheless, in the case of accidental thefts, the probability of cracking a Trezor wallet is relatively small, as the criminals will not be able to find the necessary equipment, the company states.
Of the five vulnerabilities in Trezor One and Trezor T disclosed by Ledger, Trezor said that four of them are patched, non-exploitable or require a pin. Trezor also noted that the manufacturing process for its devices is closely monitored.
Trezor’s response to the recent Ledger report on their wallet vulnerabilities. Source: blog.trezor.io
Ledger initially disclosed its findings during the #MITBitcoinExpo at the Massachusetts Institute of Technology this weekend. The company focused on hacking attacks that require access to device. In particular, Ledger described an option to extract a secret key via a side-channel attack, and the possibility of stealing confidential data from the device.
Ledger’s Attack Lab has found five vulnerabilities in hardware wallets of its direct competitor Trezor.
As of press time, Trezor was not immediately available to comment on Ledger’s findings.
The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended.
The first issue is related to the genuineness of the devices. According to the Ledger team, the Trezor device can be imitated by backdooring the device with malware and then re-sealing it in its box by faking a tamper-proof sticker, which is reportedly easy to remove. Ledger states that this vulnerability can only be tackled by overhauling the design of the Trezor wallets and, in particular, by replacing one of the core components with a Secure Element chip.
Secondly, Ledger hackers reportedly guessed the value of the PIN on a Trezor wallet using a side-channel attack and reported it to Trezor in late November 2018. The company later solved the issue in its firmware update 1.8.0.
The third and fourth vulnerabilities, which Ledger also offers to solve by replacing the core component with a Secure Element chip, consist of the possibility of stealing confidential data from the device. Ledger states that an attacker with physical access to Trezor One and Trezor T can extract all the data from the flash memory and gain control over the assets stored on the device.
The last weakness discovered is also related to Trezor’s security model: according to Ledger, the crypto library of the Trezor One does not contain proper countermeasures against hardware attacks. The team claims that a hacker with physical access to the device can extract the secret key via a side-channel attack, although Trezor has claimed that its wallets are resistant to it.
In November 2018, Trezor itself warned that an unknown third party was distributing one-to-one copies of its flagship Trezor One device. The fake wallets seemed to originate from China, and the company thus urged owners to buy wallets only from Trezor’s website.
However, in the recent report, Ledger claims that users cannot be sure even when they purchase hardware from the official Trezor website. The attacker could possibly buy several devices, backdoor them, and then send them back to the manufacturer asking for reimbursement. In case the compromised device is sold again, the user’s crypto funds can be stolen, Ledger concludes.
In November 2018, the research team behind the so-dubbed Wallet.fail hacking project demonstrated how they hacked the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. Both Trezor and Ledger than admitted to the found vulnerabilities — with Trezor noting that a firmware update would address them — but Ledger also added that they were not critical for its wallets.
Ledger claimed that the recently uncovered vulnerabilities in their hardware wallets are not critical.
In the post, the company explains that there appeared to be “three attack paths which could give the impression that critical vulnerabilities were uncovered,” but according to them “this is not the case.”
The reason Ledger says that the vulnerability is not critical is that “they did not succeed to extract any seed nor PIN on a stolen device” and “sensitive assets stored on the Secure Element remain secure.”
According to the company, the Ledger Nano S vulnerability “demonstrated that physically modifying the Ledger Nano S and installing malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin (BTC) app is launched.”
This, Ledger claims, is “quite unpractical, and a motivated hacker would definitely use more efficient tricks.” While the researchers claimed that the vulnerability allowed them to “send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves” Ledger denies its, stating:
“Their firmware runs snake on the MCU in Bootloader mode. This means that you have to push the left button at boot and the Secure Element does not even boot.”
Ledger also claims that the demonstration of the Ledger Blue attack is “a bit unrealistic and not practical,” claiming that “the position of the receiver and the attacked device must be exactly the same, the position of the USB cable is also paramount (as it acts as an antenna).”
The post stated that “if the conditions are not exactly the same, the machine learning classifier won’t work properly.” For this reason, Ledger concluded:
“This attack is definitely interesting, but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).”
Furthermore, because of this vulnerability, Ledger stated that the next Ledger Blue firmware update will feature a randomized keyboard for the pin.
The company also stated that they “regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.” According to Ledger “in the security world, the usual way to proceed is responsible disclosure. This is the model in which a vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users.”
In November, Ledger announced its expansion to New York in order to develop its institutional custody offering Ledger Vault. Moreover, the company also recently signed an agreement with crypto payment startup Crypto.com to allow users to pay for its products with cryptocurrencies.
Software security researchers have reportedly been able to extract private keys from the Trezor One hardware wallets.
Researchers have reportedly shown how they were able to hack the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. The demonstration of the hacks was published in a video on Dec. 27.
The research team behind the dubbed “Wallet.fail” hacking project is made up of hardware designer and security researcher Dmitry Nedospasov, software developer Thomas Roth and security researcher and former submarine officer Josh Datko.
During the conference, the researchers announced that they have been able to extract the private key out of a Trezor One hardware wallet after flashing — overwriting existing data — a custom firmware. However, they pointed out that this exploit only works if the user didn’t set a passphrase.
Pavol Rusnak, CTO of SatoshiLabs (the company behind Trezor), commented on Twitter that they were not notified through their Responsible Disclosure program prior to the demonstration, and that they will address the reported vulnerabilities through a firmware update at the end of January.
Moreover, the same group of hacker researchers also claimed during the talk that they were able to install any firmware on a Ledger Nano S, a leading hardware wallet. While the team used this vulnerability to play the game Snake on the device, one member of the team that found the exploit claimed:
“We can send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves [via software,] or we can even go and show a different transaction [not the one that is actually being sent] on the screen.”
The team also demonstrated that they found a vulnerability in the Ledger Blue, the most expensive hardware wallet produced by the company, that comes with a color touchscreen. The signals are transported to the screen by an unusually long trace on the motherboard, the researcher explained, which is why it leaks those signals as radio waves.
When a USB cable is attached to the device, the aforementioned leaked signals get strong enough that, according to the researchers, they could be easily received from several meters.
Employing an artificial intelligence (AI) software deployed on the cloud, the team has been reportedly able to obtain the pin of the device from a dump of the leaked radio signal from the moment when the pin has been entered.
When asked about BitFi, the hardware wallet promoted as being “unhackable” by crypto advocate John McAfee in July, a team member said that “we only talk about somewhat secure wallets” before concluding that “we didn’t want to use a Chinese phone in this talk.”
Moreover, also in August, a group of researchers declared to have successfully sent signed transactions from the BitFi wallet, claiming to meet the conditions of the bounty program.
As of press time, neither Ledger nor Trezor have responded to Cointelegraph’s request for comments.
Ledger, one of the leading security-focused hardware wallet suppliers, has sold more than one million hardware crypto wallets in 2017, earning a profit of $29 million, the firm said in an interview with Forbes July 9.
Having raised $75 million this January in a Series B funding round led by European venture capital firm Draper Esprit, the Paris-based company is planning to raise more funds this year.
Ledger’s president Pascal Gauthier revealed that while the January round was focused on venture capitalists, “who could advise on Ledger’s consumer Nano S business,” the new round intends to attract “industrial partners who will also sign commercial contracts with the crypto startup.”
Sources told Forbes that the forthcoming round has already attracted the interest of tech giants like Samsung, Google’s venture arm GV, and Siemens, with talk of Ledger’s valuation reaching as high as $1 billion.
Gauthier noted that the newly launched multi-user product Ledger Vault, which is designed for hedge funds and retail investors, has already caused a stir, with “literally clients queueing outside our office to buy it.”
Apart from introducing Ledger Vault, the company has recently teamed up with Japanese global investment bank Nomura Bank to develop a crypto custody solution for institutional investors. The new joint venture “Komainu” aims to deliver a digital asset infrastructure and operational framework for institutional investors.
In late 2017, Ledger’s hardware wallet Ledger Nano S made the top ten on Amazon’s best-seller list in the computer and accessories department, beating major competitors such as Trezor and KeepKey.
Ledger, one of the leading hardware wallets on the market, has announced its interest in implementing support for Tron [TRX].
This was done in response to a tweet sent by a user who wanted to know if in the future the popular wallet could be used to store Tronix.
The French company mentioned that although they do not have current support for Tron [TRX], they welcome developers to work with them on future support.
The work required to achieve this implementation is especially complicated since Tron now operates its own mainnet. Previously TRX were simply tokens running on the Ethereum network.
We invite Tron developers to get in touch with us and join our Developer Slack to evaluate the technical complexity related to their new blockchain
— Ledger (@LedgerHQ) June 12, 2018
Inmediatly after the tweet, Tron users quickly rushed to retweet and mention Justin Sun to make sure he was aware of Ledger’s intentions.
Awesome to see you guys incorporating interesting new options, seems like TRX is a great choice, since it is one of the trading volume leaders on nearly every exchange. Everyone will want to keep their TRX on a #LedgerWallet!
— Tron Whale (@TR0N1XWhale) June 12, 2018
— Sir Ian of Hexham (@IanLRSanchEz) June 12, 2018
Right now Tron is receiving significant support from exchanges and tech companies around the world after migrating to its own mainnet. According to coinmarketcap, more than 100 different trading markets are available for this popular cryptocurrency.
Among the most recent and important supports to the Tron [TRX] mainnet are Binance, Bitfinex, Cryptopia, Bithumb, OkEx, Upbit, Huobi, Bittrex, Coinnest, Bancor, Yobit, among others.
Additionally, The use of a hardware wallet would be extremely positive for users and would be a new point in favor of the popular crypto.
Ledger’s invitation is especially important because if the Tron community were to provide adequate support, it would be possible to plan for its adoption, giving more serious consideration to the technical work involved.
At the moment, Ledger’s Trello board does not have Tron as one of its projects. The five most voted cryptos with planned support are XMR (870 votes), XSN (354 votes), ADA (375 votes), IOTA (160 votes) and DECRED (149 votes).
Without a doubt, a crypto as popular as Tron [TRX] could easily get a voting record within the project.
A predetermined answer by Ledger or legitimate interest in other altcoins?
Seems like these kinds of responses inviting developers to work with the Ledger team are not uncommon.
Looking at the Ledger TL, very similar responses to support requests for other cryptocurrencies appear very quickly.
Ledger doesn’t offer support for XZC yet, but we welcome developers to work on the integration. You can also follow-up our roadmap for future implementations https://t.co/4PGV5TOz2l
— Ledger (@LedgerHQ) June 12, 2018
Ledger doesn’t offer support for KMD rewards yet but we welcome developers to work on the integration
— Ledger (@LedgerHQ) June 12, 2018
However, In the face of other requests, they refrained from inviting developers to participate, simply mentioning that they have no support planned:
Hello, EOS integration has not been planned yet. You can follow our future integration here https://t.co/4PGV5TOz2l
— Ledger (@LedgerHQ) June 12, 2018
MelissaSweet1, a camgirl in Arizona, started accepting cryptocurrency as payment for her erotic webcam performances three years ago. But usually, she would promptly convert it into fiat.
Until last year that is, when she started squirreling away the digital coins in a hardware wallet. Rather than simply an expedient way to get paid, crypto became a part of her retirement plan.
Like MelissaSweet1, several other sex workers recently interviewed by CoinDesk described similar shifts in their crypto usage. While others in the blockchain industry debate whether bitcoin is primarily a transactional currency or a global store of value, sex workers are already using the technology for both.
The trend speaks to both the surge in cryptocurrency prices, which has made it more rewarding to hold on to coins rather than cash out, and an intensification of the very problem that led the sex industry to turn to blockchain technology in the first place.
Namely, it’s even harder than it was just six months ago for people in this line of work to get any kind of mainstream financial services in the U.S. – not just the payment processing that’s long been elusive for them.
“More banks are viewing any sex work as high risk, and an increasing number of banks are refusing to accept direct deposits from adult industry companies,” said MelissaSweet1, who like other sex workers did not want to give her real name.
In such an environment, sex workers – a broad category that includes not only escorts but lawful workers such as erotic dancers, porn stars and even film production professionals – see saving money the old-fashioned way as increasingly risky because their accounts can be closed and funds frozen without warning. Some are afraid that centralized crypto services will start to do the same.
So, in addition to hodling the crypto they receive from clients, they’re also moving their digital money offline from third-party services to cold storage methods under their control.
Adult performer and token enthusiast Brenna Sparks alluded to the new state of affairs in a tweet last month. Recounting a conversation with a makeup artist on set, Sparks wrote:
“She happens to invest [in crypto] as well. ‘I’m trying to retire.’ I shook my head in agreement. ‘Same.'”
But since retiring on crypto means securing it for years or even decades to come, these freelancers often evangelize in closed groups about the importance of cold storage. This is the practice of keeping the private key to a wallet – which is like a long, indecipherable and hard-to-remember password – offline, either on a piece of paper or a hardware device.
“I’ve seen an increase,” camgirl and adult film actress Ginger Banks, who has been in the industry for eight years, told CoinDesk about her peers discussing how to manage private keys. “Just recently myself, people have been encouraging me to get my stuff off of Coinbase.”
As long as users control their private keys, their crypto cannot be confiscated, a risk that even legal sex workers face when they keep money in the bank.
“The reason that security is taken so seriously by the adult industry is because they are so used having their accounts discontinued or frozen without warning by traditional centralized institutions,” Nathan Smale, chief operating officer at the crypto startup Intimate, told CoinDesk.
“You are dealing with women and men who have always had to take responsibility for their own safety and protection, rarely being able to rely on others to actually help them,” Smale said. “Is it any wonder that they would take control of their own funds and manage them?”
Even those who continue to use regulated, third-party services are hedging their bets. For instance, Leah, a 20-year-old sex worker who specializes in a form of BDSM, told CoinDesk she worries the government will create stricter regulations for cryptocurrency transactions, which would result in the kind of discrimination and account closures sex workers have long encountered from legacy financial providers.
So Leah uses a hardware wallet in addition to exchange accounts on sites like Coinbase. The flipside of cold storage, as seasoned crypto users know, is that key management can be stressful and involved. If lose your key, or forget the PIN or the recovery passphrase for a hardware wallet, you’ll never be able to access your money.
“Cryptocurrency is something still pretty new, it’s decentralized so you have to hold yourself more responsible,” MelissaSweet1 said.
More to come
Despite the headaches involved, the trend among sex workers of using crypto to save for retirement looks likely to grow, as an unintended consequence of recently enacted and pending legislation.
First, there was the SESTA/FOSTA legislation package that passed in the U.S. in March, which conflated consensual sex work with sex trafficking, and weakened legal protections for internet service providers (including online financial platforms) used by sex workers.
While traditional banks and payment networks like Visa have been inhospitable to sex workers for at least a decade, these new laws gave them one more reason to fear for their reputations if they come anywhere near the industry. Now there is another bill working its way through Congress, which could criminalize providing banking services for “traffickers.”
“These laws do pose a real threat to me,” MelissaSweet1 said.
But that’s not to say these crypto users want to break the law. Indeed, while naysayers may be quick to point out that saving for retirement without a licensed service provider could lend itself to tax evasion, blogs and social networks for sex workers are full of freelancers sharing tips on how to file taxes – including taxes on bitcoin payments.
“There is a way to report income even when you’re doing something that might be, in some states or locations, outside the law,” Mike Stabile, communications director at the Free Speech Coalition, a nonprofit adult industry trade organization, told CoinDesk. “Those people who are working in sex work do pay taxes. They do have deductions.”
To that point, MelissaSweet1 said she has been checking all her legal compliance boxes while working in the adult entertainment industry for the past five years and plans to continue doing so because she is proud of her work.
Besides, she said:
“To my knowledge, there are no retirement services that specifically cater to sex workers.”
Looking ahead, some sex workers are thinking about other potential wealth-building applications for blockchain technology. For example, Ginger Banks said she hopes to someday establish her own studio using smart contracts to send royalties (which are rare in the adult entertainment industry) directly to individual cryptocurrency wallets for long-term income throughout retirement.
“It feels like I am a part of history if I hold these coins for the future,” Banks said.
Image via MelissaSweet1
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.
In an update posted on its official blog, Ledger has announced the release date of the Ledger Wallet Desktop Edition. The final date is scheduled for July 9th
This decision would make of Ledger a leading company not only in the manufacture of hardware wallets but also in the market of software-based wallets, an essential step in the expansion of its business vision.
A Preview of the Interface Ledger is Developing
The company -known for its famous Ledger Nano S- has gained fame within the community for the high quality of its products. According to official data, the Ledger Nano S boosted the company’s production to more than 1 million units sold.
Until now Ledger relied on google chrome plugins and similar solutions for its configuration and use. But just after they announced the development of a Ledger Wallet Desktop Edition in February 2018, it was easy to note the positive sentiment it generated among the crypto fans.
As a result, Ledger Wallet Desktop Edition was announced with a lot of features that make it – again – a formidable competitor compared to other options like Trezor:
- Native desktop application (Windows, macOS, Linux)
- Multi-currencies (28 cryptos including Bitcoin, Altcoins, Ethereum, Ripple…)
- Multi devices (Ledger Nano S, Ledger Blue)
- Read-only consultation of accounts without device (protected by optional password)
- Dashboard view of all assets
- Counter values: choice of currency & exchanges
- Send, receive, account balances & history
- On device verification of the receive address
- Faster account synchronization engine
- Easy onboarding for new users
Also, Ledger Wallet Desktop Edition’s support for such a wide range of operating systems, facilitates not only adoption but also ease of use for a growing user base.
Ledger Wallet Desktop Edition: The Beginning of a New Era
The French company behind the development of Ledger will not settle for the launch of a Desktop Edition. According to their blog it seems like they also have plans to increase very soon the features and products they offer so far.
According to the post in which they announced the Desktop Edition, these would be the promises of new developments for the near future.:
- Mobile application version (Android & iOS)
- Ledger Nano/HW.1 support
- Install/uninstall apps on Ledger Nano S automatically to smoothly manage a non limited number of cryptos on one device
- Ethereum ERC20 tokens & contract management
- Third party apps integration (buy/sell cryptocurrencies, exchanges, swaps…)
- Transaction tags & notes
- Spotlight search
- Generate more than one new address
- 100+ cryptocurrencies support
The Ledger Wallet Desktop Edition will hit markets this July 9th 2018. The mobile version is planned for the end of Q4 2018; also, the Ledger team will announce all the other developments when they reach their final version; however, Ledger’s priority is to support ERC20 tokens.
Japanese financial services giant SBI Holdings has invested in fintech company Templum, which focuses on offering regulated securities token offerings, according to a press release published yesterday, April 25.
SBI Holding’s investment concluded a $10 mln fundraising round, which Templum reportedly will use to bring in institutional and accredited investors. SBI Holding did not disclose the exact amount they invested.
The Japanese finance company is currently leading a 61-bank consortium working on a domestic payments mobile app using Ripple’s technology.