Bitcoin developer explains how easy it is to hack hardware wallets

The attacks range from making copies of the hardware in a factory to zapping it with electricity.

Hacks are abundant in the crypto sector. Crypto exchanges were hacked by nearly $1 billion in 2018—leading many to advocate that people should never entrust their funds to centralized exchanges. But is it safer to take control of your own funds? One developer explains why that’s probably making things worse.

Hardware wallets—that look like USB sticks and store your private keys offline—are generally regarded as the safest way to keep control of your cryptocurrencies. Well-known brands include Ledger, Casa and Trezor. But, according to Bitcoin developer Stepan Snigirev, speaking at London-based event Advancing Bitcoin, nothing is unhackable.

Snigirev owns five hardware wallets, several of which he built himself. His first was a spliced Arduino card and an SD card—and they’ve got more complicated since, incorporating multisig and QR codes. So, he knows his way around hardware wallets. He also used to be a quantum computing developer and argues that quantum computers—exponentially more powerful than today’s supercomputers, and theoretically able to crack crypto—are probably still 10-20 years away from being feasible. So Bitcoin maximalists can breathe a sigh of relief.

But in the meantime, there are several attacks that can be used today on hardware wallets that you should be aware of.

One of the most well-known exploits, explains Snigirev, is a “supply-chain hack.” This is where the wallet is compromised while it’s still being built.  While such an idea conjures up images of hackers infiltrating factories and installing software on wallets, there are simpler ways to do it.

Hackers, says Snigirev, have been known to hire different manufacturers to build wallets almost identical to the device they’re looking to emulate, and then selling them as if they’re the real deal. But instead of keeping your keys safe, they quietly leak your private keys on a block explorer for hackers to decode and use. The remedy, says Snigirev, is to make sure customers only buy from an official source. And never buy a used or “resold” wallet.

If you lose your physical wallet, or if it falls into the wrong hands, there are ways to breach it. Yes, it’s protected with a passcode, but, says Snigirev, a hacker has a number of tools at his disposal. One is “voltage glitching,” which uses electricity to cause bugs in the wallet’s software. If the hacker gets lucky, a jolt of electricity might bypass instructions—like entering a pin code—opening up the sensitive information that lies within.

If that fails, Joe Hacker can try a technique called “decapping.” This involves physically removing parts of the computer chips inside the hardware wallet itself. By dropping nitric acid on top and heating it to 100 degrees centigrade, the hacker can reveal data that was previously kept secure. Once the tortured chip is spilling its guts, the hacker pinpoints the part of the memory where the pin code is stored, and fires a laser and/or ultraviolet light on it. That could reset the pin code back to 0000—and open floodgates.

Obviously, this technique requires a certain amount of expertise as well as physical tools that, thus far anyway, are beyond the reach of the still-living-in-his-parent’s-basement hacker.

Thankfully, there are ways to prevent these attacks—and the better hardware wallets endeavor to use them. One is to use a tougher coding language that’s more resistant to the above attacks. Trezor’s micropython, for example, is considered to be among the most robust languages on the market. However, this isn’t open source, its proprietary and expensive, which means manufacturers need to shell out licensing fees, which make these wallets more expensive.

But Snigirev says the open-source community is stepping up to help wallet makers fight back, with a tougher-to-crack language called Embedded Rust. Other countermeasures include adding random noise, or random timings, which make the computer processes harder to hack. But the message from Snigirev is clear: Virtually nothing is immune to hacks, no matter how safe someone says it is.


Hacks are abundant in the crypto sector. Crypto exchanges were hacked by nearly $1 billion in 2018—leading many to advocate that people should never entrust their funds to centralized exchanges. But is it safer to take control of your own funds? One developer explains why that’s probably making things worse.

Hardware wallets—that look like USB sticks and store your private keys offline—are generally regarded as the safest way to keep control of your cryptocurrencies. Well-known brands include Ledger, Casa and Trezor. But, according to Bitcoin developer Stepan Snigirev, speaking at London-based event Advancing Bitcoin, nothing is unhackable.

Snigirev owns five hardware wallets, several of which he built himself. His first was a spliced Arduino card and an SD card—and they’ve got more complicated since, incorporating multisig and QR codes. So, he knows his way around hardware wallets. He also used to be a quantum computing developer and argues that quantum computers—exponentially more powerful than today’s supercomputers, and theoretically able to crack crypto—are probably still 10-20 years away from being feasible. So Bitcoin maximalists can breathe a sigh of relief.

But in the meantime, there are several attacks that can be used today on hardware wallets that you should be aware of.

One of the most well-known exploits, explains Snigirev, is a “supply-chain hack.” This is where the wallet is compromised while it’s still being built.  While such an idea conjures up images of hackers infiltrating factories and installing software on wallets, there are simpler ways to do it.

Hackers, says Snigirev, have been known to hire different manufacturers to build wallets almost identical to the device they’re looking to emulate, and then selling them as if they’re the real deal. But instead of keeping your keys safe, they quietly leak your private keys on a block explorer for hackers to decode and use. The remedy, says Snigirev, is to make sure customers only buy from an official source. And never buy a used or “resold” wallet.

If you lose your physical wallet, or if it falls into the wrong hands, there are ways to breach it. Yes, it’s protected with a passcode, but, says Snigirev, a hacker has a number of tools at his disposal. One is “voltage glitching,” which uses electricity to cause bugs in the wallet’s software. If the hacker gets lucky, a jolt of electricity might bypass instructions—like entering a pin code—opening up the sensitive information that lies within.

If that fails, Joe Hacker can try a technique called “decapping.” This involves physically removing parts of the computer chips inside the hardware wallet itself. By dropping nitric acid on top and heating it to 100 degrees centigrade, the hacker can reveal data that was previously kept secure. Once the tortured chip is spilling its guts, the hacker pinpoints the part of the memory where the pin code is stored, and fires a laser and/or ultraviolet light on it. That could reset the pin code back to 0000—and open floodgates.

Obviously, this technique requires a certain amount of expertise as well as physical tools that, thus far anyway, are beyond the reach of the still-living-in-his-parent’s-basement hacker.

Thankfully, there are ways to prevent these attacks—and the better hardware wallets endeavor to use them. One is to use a tougher coding language that’s more resistant to the above attacks. Trezor’s micropython, for example, is considered to be among the most robust languages on the market. However, this isn’t open source, its proprietary and expensive, which means manufacturers need to shell out licensing fees, which make these wallets more expensive.

But Snigirev says the open-source community is stepping up to help wallet makers fight back, with a tougher-to-crack language called Embedded Rust. Other countermeasures include adding random noise, or random timings, which make the computer processes harder to hack. But the message from Snigirev is clear: Virtually nothing is immune to hacks, no matter how safe someone says it is.


Get The Daily Debrief In Your Inbox

2019 © Decrypt Media, Inc. All Rights Reserved.

2019 © Decrypt Media, Inc. All Rights Reserved.

Get The Daily Debrief In Your Inbox