Hardware Wallet Vulnerabilities & Threat Models

From Trezor One to BitBox02 and the upcoming Foundation Passport, hardware wallets are remarkable technological devices. Though their design is simple and minimalistic enough to be easily copied by any DIY enthusiast, they manage to mitigate the hardware limitations with smart software workarounds.

No hardware wallet is perfect, and each device has known issues of its own. For instance, the Trezor hardware wallets are relatively easy to hack if you gain physical access to them (as proven by the Kraken Security Labs). However, the easy fix is to set up a passphrase – a special word without which nobody can access the device to perform brute-force attacks which eventually unlock the PIN.

In the case of the Ledger hardware wallets, you have the greatest amount of physical security. There is no record of the Ledger secure element chip getting hacked and causing loss of coins. Yet users can’t check the code that’s going into the chip, have no idea what the device is doing in the background while connected, and must trust that Ledger is fair and honest. This approach isn’t really compatible with the “don’t trust, verify” open source spirit of Bitcoin, but it works for lots of users who prefer it.

And then we have in-betweeners such as Cobo Vault, BitBox02, and Coldcard. They take the best of both worlds and combine Trezor’s open source architecture with Ledger’s secure element design to provide a balance between the two. Some would praise their boldness to embrace a middle ground, while others would argue that they provide neither.

Which hardware wallet is for you? The one which fits your threat model!

It’s very easy to get lost in comparisons while trying to figure out which hardware wallet you should choose. But ultimately, it all comes down to where you live, how you use your bitcoins, and how often you travel.

For most purposes, the Trezor works just fine. It has been around for over 6 years, it has been tested by lots of security experts, and it is the original design which has been copied and forked by every company which emerged in the business of hardware wallets. Though major security flaws have been discovered over the years, the fact that they are known makes them easier to avoid – and in some cases it’s better to be aware of your threats and prepare yourself than to be surprised.

But if you travel a lot and you make lots of Bitcoin transactions on the go, it’s worth considering a device which offers more physical security. If you lose your Ledger, it’s very unlikely that the person who finds it will be able to steal your bitcoins. The BitBox02, Cobo Vault, and Coldcard also make use of security chips and they get the job done in a more transparent and verifiable way than the Ledger.

The rule of thumb when choosing a hardware wallet is to take the Peter Todd approach: determine your threat model. Why do you need a hardware wallet in the first place? Is it just a secure device which helps you recover your funds, as you no longer type the 24 words on your computer keyboard? Is it your BTC HODLing gadget? Do you travel with your coins? How many people know where you live and might break into your house? Do you live in a friendly neighborhood? Are you going to use multisig or Shamir backups to eliminate the single point of failure? Does full node connectivity matter to you? Are you going to also HODL shitcoins?

Don’t buy a hardware wallet just because some marketing department pressured you to get it. Think critically and figure out what you need and why you need it. The original purpose of the hardware wallet was to provide a safe way to sign transactions and recover funds, so you don’t need a wiped and air-gapped second computer. In time, these devices have extended their functionality to also facilitate exchange onboarding and grant extra protections against attacks.

But bear in mind that no hardware wallet is perfect and there is always a tradeoff. If you want uncompromising open source hardware and software for your HODLing and home trading, get a Trezor. If you live like a nomad and/or have housemates whom you can’t trust and somehow found out about your passion for Bitcoin, it’s better to have something with more physical security like a BitBox02 or Coldcard. And if you travel a lot and you want the highest degree of physical security, you should probably get a Ledger.

Sun Tzu, hardware wallets and threat models

In “The Art of War”, Sun Tzu said “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat”.

By extension, if you don’t know your threat model, then you don’t know yourself and don’t know your enemy. This means that you will always lose. But if you know your own security needs and understand the limitations of your hardware wallet so you can supplement it, then you need not fear the result of a hundred hacking attempts.

It’s easy to get lost in marketing buzzwords and it’s even easier to FOMO on deals and discounts. But if you don’t know why you bought your hardware wallet and you have no idea against whom you’re trying to protect your coins, then you’re likely to also misuse the device and potentially compromise your security with a reckless sense of safety.

The internet is a dangerous place and everyone would love to spend your bitcoins. So if you care about your scarce bits of digital gold, you should do your best to understand the nature of your enemy and through which means he can attack you. Is the enemy nearby or even in your hometown? Does he know where you live? Is the enemy one of your housemates, co-workers, or even family members?

Think in an adversarial way, figure out what works best for you, and from there you will find lots of useful tools. Just be sure to keep it simple enough so you can later reproduce the same pattern to recover your coins.

If it’s all too complicated even for yourself, then you don’t know yourself and Sun Tzu says you’re a loser before the battle even begins. If it’s too simple, then you don’t know your enemy well enough and Sun Tzu says you may get hacked. So you better watch out and stay safe out there!

Vlad Costea

I'm here for the freedom, censorship-resistance, and unconfiscatability. What about you?

One Comment

  1. Cannon Reply

    Trezor T is no longer vulnerable to “physical hacking” with the new encryption feature. Trezor T can use a micro SD card to encrypt the Trezor. When not using the Trezor just keep the micro SD card separate from the tremor. And a micro SD card is so easy to hide.

So, what do you think?

Follow Me