I tried to find some material on the processes at a company like Ledger. Such as who verifies the components used? Who checks the software that checks the software? I understand due to competition and security they wouldn’t be able to reveal too much but it does beg the questions. As with all the new purchases of devices, a honey pot is being filled up.
Not sure TBH, probably very secure provided your ledger isn’t intercepted by glowies during shipment. Seems like no matter what you do there’s always going to be a ‘what if’.
Tails, grin wallet, and encrypted seed on good metal is probably the best way to go.
Splitting funds up into different means of storage/security is also a good idea imo. Not having all your grin in one place, split up evenly with some change in a hot wallet for spending/tipping seems right to me.
To my knowledge, no one managed to hack a Ledger wallet yet. Only there is this trick with malware for Ledger to replace the address when you copy paste with the hackers address using a man in the middle attack when you make a transaction. However, you always have to look and verify address you send to on the Ledger device itself before confirming. The Ledger wallet itself is virtually unhackable. Ledger uses a industry standard security element chip with security audits, so even with malware you would notice the address you copy pasted changes when sending. The Ledger wallet itself will always show the actual address you are sending to which you need to confirm before signing the transaction.
Among other hardware wallets the Trezor One’s pin can be bruteforced using custom firmware. However, if you use BIP38 encryption for your seed, it will not work. Furthermore, this hack can only be performed by less than a handful of Wallet Recovery experts who would not tarnish there reputation hacking a innocent victims wallet. So in reality hardware wallets are very save, the only thing you have to worry about is a 5$ wrench attack.
2 Likes
That’s if ledger doesn’t have bugs and is not evil 
2 Likes
True, but in terms of risk, I would be more worried about the 5$ wrench attack due to the fact that the IP adresses for many Bitcoin transactions are known 
.
I Think it is based on trust. The most important thing is to know possible attack vectors. And on what your trust is based on. What you can verify, and where the limits of the trust in yourself might be.
- The seed generator can not be verified by the user.
- The “air gap” communication can not be easily verified by the user.
They are very secure. There is nothing very special about them - the thing you have to keep secure is the seed phrase you wrote down on a piece of paper.
Like others said, anything’s possible but it’s 1 step more secure than your average hot wallet (grin++,metamask,trust,etc.). Transactions can’t post without using the physical hardware wallet to confirm.
You can still mess up by saving your seed phrase on public Google Drive or something lol. It’s not idiot proof.
If you’re loaded just use 2-3 different hardware &/or hot wallets to spread your funds around.
I believe that a Ledger device itself is secure from physical attack. I wonder more about the in-house manufacturing/software install processes and how susceptible they could be to corruption or coercion. Like how sure can customers be that every step in the build process prevents those opportunities. I guess as said above, best to do all steps yourself on your own hardware.
Its not very secure against an attacker with physical access, but its better than keeping your keys on a USB stick.
At least the keys are in a secure enclave chip, so (assuming there is no vulnerability in that chip) it should be impractical to extract the keys without knowing the PIN 
But without anti-tamper circuitry, it is possible (I’ve seen a live demonstration of this) to modify the ledger hardware to capture your PIN or modify the transactions you sign. That is, a physical attacker could do the following:
-
modify your ledger to replace the ‘to’ address of every transaction your ledger signs, with his own. Effectively stealing the funds of any transaction signed by your ledger. He could even increase the value field too.
-
modify your ledger to keylog your PIN, so that if the attacker can get physical access a second time, they can read your PIN and use that to steal all your funds
So, in short, Ledger is great for keeping your keys offline, but it is not very robust against physical attacks.
On a side note, the Gridplus Lattice is the only hardware wallet I know of that advertises anti-tamper security, BUT their firmware is closed source, so you just have to trust them. I personally wouldn’t recommend a product that requires you to blindly trust some company’s proprietary code, but if they ever open source their code, I would take a serious look at using them.
Unless you’re a high profile target, the odds of someone breaking into your residence unseen, finding your hardware key, and able to tamper with it, without leaving any trace either of the break-in or the tampering, are exceedingly small. You should worry more about getting killed in traffic.
That said, this scenario of the attacker returning seems quite ludicrous. When instead they could just take your hw wallet with them and replace it with one that does nothing except ask for a PIN and transmit it (maybe claim it was entered wrong to make the victim enter it twice).
2 Likes
I didnt say it was likely, I just said it was possible. Also, an attacker doesnt always have to “break in”. Ever heard of an evil maid?
@Cryptised said Ledger is secure against physical attack. I pointed out that it is not. I didn’t say a physical attack was likely, or that you should sleep in fear, or anything like that.
Again, you’re making a lot of assumptions about the attacker. Friends, family, an evil maid, all may have recurring access to your home, office, or property. Would you be surprised to learn that majority of crimes are perpetrated by someone with a trusted relationship to the victim?
I’m not saying Ledger’s are insecure. I’m just clarifying the attack surface. If you aren’t worried about physical attacks, then a Ledger is great for you. If you are worried about physical attacks, then you should consider more than just a Ledger in a your security strategy. What about this statement is ludicrous?
Yes, I was assuming the threat model of people like myself, who trust the people they live with and don’t have other people like maids with unsupervised access to their home. If you have to worry about your spouse or kids stealing your crypto then I’d say you have bigger problems,
Admittedly, this doesn’t apply to all people, and for them a returning attacker could be less than ludicrous…
Not to beat a dead horse… but there is an important reason to clarify this, even though you are not worried about your opsec.
If people mistakenly think Ledger is secure against physical attack, they may think it is safe to bring to work/school every day, or even leave unattended, because they think it is secure even in the hands of a bad actor. I would rather not give people that false sense of security, so they can make an informed decision about how to handle a Ledger.
Keep your Ledger at home? Great for most people.
Keep it in a safe? Even better.
Keep it in a backpack and take it to work/school everyday? That’s risky. Better hope you don’t have a nosey coworker rummage through your bag while you’re at lunch.
Then again, the odds of a coworker being able to tamper with a hardware wallet to make it record your PIN are closer to 1 in a million than 1 in a thousand. The bigger risk is them recording you while you enter your PIN (placing hidden cameras everywhere).
The chance of someone who hears or suspects you have Bitcoin to use physical violence is much bigger than someone being able to hack or tamper with a hardware wallet. The biggest security risk IMO is people enthusiastically talking about their holdings, their IP being revealed in a Bitcoin transaction, data leaks with addresses, such as the Ledger database hack. There are far many more people willing and capable to resort to violence or extortion.