Doubts Surface Over The Security Of Hardware Wallets

Hardware Wallets

A report compiled by DocDroid indicates that hardware wallets are not as safe and secure as they are claimed to be. Recently also Saleem Rashid, a security researcher, revealed that the hardware wallet manufactured by French company Ledger has vulnerabilities that could lead to users losing their virtual currencies. The vulnerability is however not limited to the Nano S hardware wallet of Ledger. It is present in all hardware wallets that are built using the same architecture.

Basically hardware wallets employ a security module where the main core is separated from the encryption device. This is what makes the manufacturers claim that they are tamper-proof. According to Rashid however the security of the Nano S, as well as that of other hardware wallets bearing a similar architecture, can be compromised.

Private and public keys

With the hardware wallets of virtual currencies there are both private keys and public keys ? the former are for spending funds while the latter are for receiving funds. After every transaction modern hardware wallets create a new address for receiving in order to protect the user?s privacy by having the funds spread across multiple addresses instead of one. Generating a new receive address happens automatically and this is transparent to the wallet?s owner.

The vulnerability of the Nano S, as well as other hardware wallets with similar architecture, is that the displayed receive address is displayed using JavaScript code that is operating on the host machine. The implication of this is that attackers can use malware to replace the code that activates this process and consequently have their own address generate the receive address instead. Once they do this all the future deposits will consequently be sent to the hacker. The owner of the wallet will not be suspicious at all because they will be under the assumption that the address appearing on the screen belongs to them.

AppData folder

With the Nano S the malware doesn?t even have to be sophisticated since admin rights will not be required as the software of the location of the Ledger hardware wallet is in the AppData folder.

In one incident involving the Nano S, a man acquired the hardware wallet from a seller on eBay. The seller had already initialized the hardware wallet and then printed the recovery seed words that had been created. When he shipped the wallet to the buyer he made it look like the recovery seed words originated from the manufacturer. A few days after the buyer of the hardware wallet stored his virtual currencies on the wallet the seller retrieved the funds using the seed words.

One important lesson from the saga is that digital currency hardware wallets should only be purchased from manufacturers and used ones should not be considered at all.

Additionally even after acquiring a hardware wallet from a reputable manufacturer it is important to do a hard reset of the device as an extra security measure. When performing firmware updates it is also important to be careful not to fall prey to malware that is disguised as an update.

Dippli is an independent media outlet that covers the current events in the crypto space. Got breaking news or a story to share? Then feel free to contact us at


Please enter your comment!
Please enter your name here