Security in Crypto, Hardware Wallets and Pseudonymity - Part 5/7

In Part 5 we delve deeper into user habits affecting security using a jail-breaking example. We then define what Hardware wallets are.

Jail-breaking devices/software can be dangerous: A person using a jail-breaking technique could risk having keyloggers and trojans installed into their computer. For example Youtube (YT) forbids downloading of YT videos into devices as standalone files. But if you go to any browser addon page, you will get dozens of results for YT video downloaders. You can now circumvent YT and Google’s usage policy and download standalone videos from YT. But what cost have you paid? If you have never read the fine print, you must know that these YT downloader addons and many other addons take your permission to ‘view data from all websites’. This is a significant privilege and can basically beat all your security countermeasures, and snoop your seed phrase and MetaMask password from right under you. The developers of these addons may even be legitimate, but they are probably doing it part time, and are most likely not compensated well enough to maintain it for them to accurately assess all commits to their code base. A clever hacker can add malicious code to the YT Downloader Github, get it approved surreptitiously, and thereby get added privileges and snoop on all users of the addon.

Such vulnerabilities are rarely discussed and yet, large swathes of people are at risk from these types of attacks.

Browser addons, cracked software and porn websites can be dangerous as well: Most are unaware of the risks of giving sweeping permissions to browser addons [1], using jail-breaking techniques [2,3], cracked software [4,5] and the risk of malicious software from porn websites [6-9], to both personal computers as well as mobile phones.

The simplest solution is to use a clean device (both laptop and mobile phone) for all your crypto activities and air gap this device as much as possible from other devices. Do not install unnecessary applications (especially social media) and addons on this device, don’t open DMs and links, don’t trade in DMs, and keep its use limited to crypto.

If you have read this far in this series, congratulations! Thanks for reading, and hopefully this has shed some light on all the vulnerabilities and modes of attack one needs to safeguard their digital assets from. You have arrived at the final step and most important security step when using and storing crypto and NFTs: using a Hardware Wallet.

A Hardware Wallet ensures:

1. Your seed phrase is only ever visible on the device itself when a new wallet is first created on the hardware wallet.
2. You only have to enter the seed phrase again, if you have to reset/replace the device, and again you enter it directly into the device. Thus you never need to digitize it.
3. The device will securely encrypt the private key, and the private key will never leave the device by means of remote actions from the internet or other applications being installed on it.
4. The encryption of the private key is achieved by using a 4-8 digit secret PIN that the user sets on the device using tough physical buttons. This PIN once again never leaves the device and neither should you digitize it anywhere else. Physical buttons can’t be operated through the internet by hackers.

Now, if you can ensure the security of the seed phrase while backing it up in a secure offline location for your future use (when you need to restore the wallet on a new hardware wallet) – you are basically having state of the art encryption for your crypto and NFT assets [10].

Choice of Hardware Wallets: I will stick to comparing and describing the two hardware wallets that are most popular and also that I have been able to purchase and test - Ledger Nano X [11] and Trezor Model T [12].

Before we discuss it in depth, the TL;DR version is:

1. Get a Ledger Nano X, from the official website: https://www.ledger.com/
2. Don’t ever purchase a hardware wallet from a marketplace like Amazon or eBay – you don’t know who the seller is in this case, and whether trust has been maintained in supply chain security. Many people buying on Amazon and eBay have reported receiving tampered hardware wallets that arrive with a seed phrase already set up and written out on a card; or worse USB sticks with malware on it, instead of a Hardware Wallet.
3. Finally, while ordering your wallet from Ledger’s official website, ensure that you purchase it under a pseudonym or a friend/relative’s name who doesn't transact in crypto.
4. Use a shipping address that is not your home address. Don’t reveal your phone number and use a crypto specific burner email address that can’t identify you while placing this order.

Next: In Part 6 we will contrast and compare the choices of hardware wallets in full detail, and look at the security vulnerabilities that have been exploited in them in the past.

References:

1. Evuri, M. (2020). How Browser Extensions can Exploit User Activities for Malicious Operations - CloudSEK. [online] cloudsek.com. Available at: https://cloudsek.com/how-browser-extensions-can-exploit-user-activities-for-malicious-operations/ [Accessed 29 Jun. 2022].
2. Fleishman, G. (2015). Hacking Team hack reveals why you shouldn’t jailbreak your iPhone. [online] Macworld. Available at: https://www.macworld.com/article/225858/hacking-team-hack-reveals-why-you-shouldnt-jailbreak-your-iphone.html [Accessed 30 Jun. 2022].
3. Apple.com (2018). Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issues. [online] Apple Support. Available at: https://support.apple.com/en-us/HT201954 [Accessed 30 Jun. 2022].
4. Bistriceanu, I. (n.d.). Dangers Of Using Pirated Software. [online] www.bitdefender.com. Available at: https://www.bitdefender.com/tech-assist/self-help/dangers-of-using-pirated-software.html [Accessed 30 Jun. 2022].
5. Gallagher, S. and Polat, Y. (2021). Fake pirated software sites serve up malware droppers as a service. [online] Sophos News. Available at: https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/ [Accessed 30 Jun. 2022].
6. Dashevsky, E. (2013). Just how much malware is on free porn sites? [online] PCWorld. Available at: https://www.pcworld.com/article/451366/just-how-much-malware-is-on-free-porn-sites.html [Accessed 30 Jun. 2022].
7. Threat Intelligence Team (2020). Malvertising campaigns come back in full swing. [online] Malwarebytes Labs. Available at: https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/ [Accessed 30 Jun. 2022].
8. Miriam, C. (2021). Is Pornhub Safe? How to Browse Adult Websites Securely. [online] Heimdal Security Blog. Available at: https://heimdalsecurity.com/blog/is-pornhub-safe-how-to-browse-adult-websites-securely/ [Accessed 30 Jun. 2022].
9. Trend Micro News. (2021). How to Watch Porn Safely and Discreetly - 7 Tips. [online] Available at: https://news.trendmicro.com/2021/12/20/how-to-watch-porn-safely-and-discreetly/.
10. en.bitcoin.it. (n.d.). Hardware wallet - Bitcoin Wiki. [online] Available at: https://en.bitcoin.it/wiki/Hardware_wallet [Accessed 30 Jun. 2022].
11. Ledger (n.d.). Ledger Nano X. [online] Ledger. Available at: https://shop.ledger.com/products/ledger-nano-x [Accessed 30 Jun. 2022].
12. Trezor (n.d.). Trezor Model T. [online] shop.trezor.io. Available at: https://shop.trezor.io/product/trezor-model-t [Accessed 30 Jun. 2022].

The author holds a M.S. in Engineering from Columbia University, and has a decade of research and industry experience in software and hardware design. He has been researching crypto security since early 2021. He can be followed on Twitter: @MetaversityOne and also his Hashnode Blog: https://cryptosecurity.hashnode.dev/