U.S.-based startup VaultTel has launched a tiny cryptocurrency hardware wallet that sits in the SIM tray of mobile phones.
Calling themselves Wallet.Fail, three security researchers found ways to access crypto hardware wallets in ways that weren’t intended by their creators.
The race among crypto custodians to secure high-end clients is growing fiercer by the day.
Ledger, the France-based wallet and custody startup, is ramping up the number of cryptocurrencies it supports to meet the demand for multi-coin solutions, particularly from institutional investors.
Revealed exclusively to CoinDesk, the company will add support for new crypto assets on the first Tuesday of each month, starting in August, with a goal of having more than 100 supported by the end of 2019. Currently, Ledger’s products and services handle only about two dozen tokens, and this week it’s adding support for tron (TRX) and zcoin (XZC).
The move is yet another sign of how the cryptocurrency industry is rapidly evolving, with an ever-widening array of assets to choose from and big-money players nosing around for investment opportunities and influencing companies’ business decisions.
While Ledger, founded in 2014, is primarily known for its hardware wallet and corresponding app for individual bitcoin users, CEO Eric Larcheveque cited its newer business lines – which offer custody services to hedge funds and other big players – as the driver behind this “Token Tuesdays” initiative.
“If we want to sign those [institutional] customers, we don’t have a choice,” Larcheveque told CoinDesk. “We have to support the top 100 cryptos, minimum.”
For similar reasons, BitGo recently added support for 57 ethereum-based assets to its custody services for institutions. Meanwhile, thousands of wealthy accredited investors are on a waiting list for the crypto key management startup Casa, which is scheduled to release its self-managed bitcoin solution in August and eventually add other tokens.
In turn, however, Larcheveque predicted offering custodial support for a wider range of tokens could bring would-be whales off the sidelines, saying:
“This will allow hundreds of hedge funds to deploy their capital into crypto, and enable all these other financial institutions to move billions into crypto.”
Further, Ledger president Pascal Gauthier said bringing traditional players into the wider crypto ecosystem would bolster bitcoin’s real-world value, even if these investors ultimately buy other crypto assets. After all, the world’s largest cryptocurrency is still one of the largest liquidity conduits for cashing out tokens.
More broadly, “institutions coming into this industry means that there is even more trust and it brings more value to the industry,” Gauthier said.
A rising tide…
As Ledger courts institutions, it aims to do so in a way that enhances the hardware wallet’s utility for retail investors as well.
“I would say that the major drive for crypto integration, in the end, comes from the needs of our enterprise customers,” said Larcheveque. “At the same time, it profits our hardware wallet users. It’s a virtuous circle.”
For example, this week the startup also unveiled an upgraded version of the hardware wallet’s companion app. Unlike its predecessor, which was really several apps in one, the new Ledger Live automatically pushes updates to all parts of the app, so the company can add support for new tokens faster.
Now, it’s much easier to imagine adding dozens of cryptos in just one year to meet Ledger’s business goals. At the same time, individual users can now manage different assets in one place rather than switching from one app to another.
“We really want to cover the maximum amount of cryptocurrencies,” said Larcheveque. “The Live [app] is the first step in this direction because it will give us a new foundation, a new platform, where we can add as much crypto as we want.”
App usage is growing faster than demand for Ledger’s hardware wallets, of which the company has sold over one million units. Larchevêque said the app, which can be used without the wallet, grew from 100,000 monthly users in November 2017 to 500,000 monthly users today.
Open-source tools for Ledger Live also allow external communities to build support features for their favorite crypto. “Then we can publish them [support features] after review,” Larcheveque said. “Thanks to the community work by all these developers, we can scale much faster by adding new cryptos.”
Indeed, according to Tron’s head of engineering, Tian Han, Ledger’s new tron support was spurred in part by user-submitted code, although his organization also provided financial assistance.
“Users got together to form a team to build the implementation. Tron employees weren’t involved aside from giving a grant,” Han told CoinDesk. “We also awarded an $80,000 grant to the Ledger Wallet integration team members, and have future grants planned for Trezor Integration as well.”
To some, the rush to offer token custody solutions to Wall Street incumbents may seem hard to square with the crypto community’s “be your own bank” philosophy.
But Ledger actually has two business lines targeting institutional investors. One is a series of partnerships with organizations such as Nomura Bank in Japan, which uses Ledger’s tools for full-custody services, more akin to a traditional deposit.
The other is called the Vault, an enterprise-grade custody solution for teams at an institution, like traders at a hedge fund, to self-manage crypto assets, an arrangement that’s more in line with the crypto community’s ethos. This multi-signature wallet is connected to many individual hardware devices for each team member.
“They are being their own bank just like with the Nano S [Ledger’s hardware wallet] you are being your own bank as an individual,” Gauthier said. “The different managers that are signing off on the transactions will all have a device”
So far, this self-custody approach appears to be rare, though. Typically, institutions don’t want to manage their own private keys, and even some that do so don’t want to be completely self-reliant.
“The best solution is I have a key, my partner has a key, and some guy that I’ve never heard before has a key,” said Travis Kling, co-founder of Ikigai Asset Management, a hedge fund that uses BitGo in this way.
In the view of Jameson Lopp, an infrastructure engineer at Casa, institutions are applying “old world” ideas about custody to these new digital assets.
Although full-custody services don’t align with Lopp’s philosophy of self-reliance, he acknowledged the need for a spectrum of services and healthy competition between companies like Casa, Ledger, and BitGo. He told CoinDesk:
“It’s perfectly fine if people choose to trust a third party. But the whole reason we got into this system in the first place is that people don’t have to do that if they don’t want to.”
Eric Larcheveque image courtesy of Ledger
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.
Ledger, the France-based maker of hardware cryptocurrency wallets, has raised $75 million in Series B funding.
According to an announcement today, the new round was led by the U.K.-headquartered investor Draper Esprit, and also included Draper Venture Network, FirstMark Capital, Cathay Innovation, and Korelya Capital. Existing investors such as CapHorn Invest, GDTRE and Digital Currency Group also participated in the round.
Ledger said it plans to use the new cash primarily to scale its business amid the growth in the popularity of cryptocurrencies.
Eric Larcheveque, CEO of Ledger, commented:
“These funds will be used to keep investing significantly in R&D while scaling our operations and deploying our teams globally.”
In the release, the company also said that it is developing a new storage solution for managing crypto assets, named the Ledger Vault. The product will be aimed at institutional investors such as banks and hedge funds.
Launched in 2014, Ledger offers a range of hardware wallets for storing cryptocurrency private keys. The new funding comes almost a year after the firm closed a $7 million Series A round in March 2017.
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Ledger.
Ledger wallet image via CoinDesk archives
The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Have breaking news or a story tip to send to our journalists? Contact us at firstname.lastname@example.org.
Recently leaked computer vulnerabilities Meltdown and Spectre offer yet another reminder of how hard the digital age makes it to keep private information – even cryptocurrency private keys – safe.
Unveiled Wednesday, the widespread hardware vulnerabilities simultaneously impact Intel, ARM and AMD computer chips, which power the vast majority of the world’s computers, mobile devices and servers, making it possible to steal private data such as passwords, financial information or just about anything stored on any device that uses one of these chips.
Where this is important for cryptocurrency in particular is, hackers can potentially use the specific attack vector to pinch the private keys that allow users to control their bitcoins on the blockchain.
Popular Mechanics called it a “horrific” bug, contending it’s “hard to zero in on the most troubling part of this flaw,” while an informational page authored by security researchers remarks that you’re “most certainly” impacted by the bug.
And though there’s no evidence that any passwords have been compromised, experts say it wouldn’t be surprising if hackers or the NSA have been exploiting the attack.
If you’re already following best practices for cryptocurrency storage, then you’re probably fine. But if not, or if you’re a newer user, experts say it’s important to keep private keys on a safe device.
“Better safe than sorry,” said Bitcoin Core developer Bryan Bishop told CoinDesk, adding:
“An attacker who has knowledge of a sufficiently powerful vulnerability can theoretically force your CPU to reveal secret data such as private keys used to control your bitcoin.”
It’s important to note that the advice to store private keys on a secure device is nothing new. (Crypto developers have long warned against storing private keys on laptops or other devices that interact with the internet.)
But the reasons why might not be obvious for newer users. Even though bitcoin and other cryptocurrencies are secure protocols, they must interact with the open internet and regular computers. In short, storing private keys so close to the internet can potentially expose users to hacks and theft.
And the new CPU vulnerabilities make the situation even worse, as a chain of actions can lead to error and compromise.
“If the protected memory problem is real, then a browser plugin or even a website may access your private keys,” said Bitcoin Core contributor Jonas Schnelli.
The full details of the issue aren’t yet public, so it’s unclear what the precise attack vectors are. Still, others suggested a similar impact could be likely.
“To get hit by this attack, all you would have to do is click a link by accident and maybe you end up on a website that serves a bad ad with the malware code that steals your data,” Bishop added.
And while these scenarios might sound far-fetched, most of today’s malware pry on similar vulnerabilities that have yet to be patched. It’s just impossible to know who and when they’ll actually hit.
Operating system fixes are now available that users should use to patch up their Windows, Mac, and Linux devices. But, for cryptocurrency users, the better option is not to store private keys on an internet-connected device at all, a recommendation common far before this particular vulnerability.
One option is to store private keys on a so-called “hardware wallet,” such as Ledger or Trezor. The small devices might not be quite as easy to use, but they are more secure in that their not connected to the internet.
Pavol Rusnak, CTO of SatoshiLabs, the company behind Trezor, went as far as to argue “Using a [hardware] wallet is now more important than ever!” While ethereum developer Lefteris Karapetsas quipped, “I bet Spectre and Meltdown is the best thing that could have happened for cryptocurrency cold wallet businesses.”
Exchange treasure troves
Beyond solo consumer devices, a much bigger, more worrying target is cryptocurrency exchanges and businesses, which store cryptocurrency private keys for millions of users at once.
Some cryptocurrency exchanges use cloud hosting services such as Amazon Web Services and Google Cloud to run their websites, rather than spin up their own servers.
While these platforms make websites easier to manage, they are particularly vulnerable to these attacks. A hacker could theoretically spin up a server using the same hardware as a cryptocurrency startup running operations on such a cloud platform and suddenly have access to all of their data.
In the crypto world, a hacker could hypothetically use this attack vector to steal private keys.
On the one hand, many of the most popular cloud platforms quickly unrolled fixes. On the other hand, researchers worry that deep-rooted vulnerabilities could spawn unfixed variants, with possible lingering effects to come.
Bitcoin in the dark image via Shutterstock
The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Interested in offering your expertise or insights to our reporting? Contact us at email@example.com.