If you’ve been a participant in the coin market for an extended period of time, you would know that there are occasional security breaches despite the good projects that have been built in the industry.
Hackers, fraudsters and other malicious players routinely strive to steal crypto assets. Since cryptocurrencies became popular, the frequency of attempts have increased, not surprising.
So is it possible to lose your coins to fraudsters who imitate genuine hardware wallets? Is it even possible for hardware wallets to be imitated? Trezor is a leader in the hardware wallet market. The company issued a warning in 2018 about the presence of fake products imitating their hardware wallets. In the release, the company said,
“[PSA] In recent weeks we have discovered a non-genuine Trezor One device which tries to imitate the original to the bone.
For more information on how to spot a fake Trezor One device, please read our latest blog post here: https://t.co/tpe21iTVXm
This development is not surprising. It is common knowledge that fraudsters will make an attempt at faking anything if there is the possibility of making money from it. Trezor later said that it was not the first time fraudsters have attempted cloning the Trezor device.
However it seems that this is the first time an unidentified fraudster is working at fooling users of the device. The release assured users that there are marked differences between the Trezor wallet and the fake one in terms of appearance and functionality.
Different From The Original
It went on to describe the many differences that Trezor users should watch out for. The release said that some of the differences to look out for is in the packaging of the fake hardware wallet which is not as aesthetic as the original.
According to SatoshiLabs, the similarities may just end with physical features. They stated that the fake device may not have the functionalities of the real Trezor and may be full of malware. Although this is not the first time Trezor has been copied, the company said that it may be complimentary that others are copying their device.
Nevertheless, there is no doubt that if you’re fooled into storing your funds in a fake hardware wallet irrespective of the brand, that you will likely lose your cryptocurrencies.
The fake product which has “Made in China” written on it is just another attempt at cloning Trezor which claims that their products cannot be breached by hacking. This has been proven false when some hackers broke into a Trezor wallet in August 2017 causing identification of private keys and theft of digital currencies.
Investigations by Trezor revealed that the seed for the hacked wallet was stored at a location accessible to the hackers. After upgrades, the company has continued assuring users that the device is safe.
SeptreAttack a cyber security and audit company has announced that there are vulnerabilities affecting not just Trezor but all devices using Intel, AMD and ARM processors of any device they are installed in. The list of devices included PCs, laptops, tablets and smartphones.
A CT report said,
“The Meltdown bug afflicted Intel chips that were estimated to be installed in about 90 percent of all computers worldwide. The Spectre bug affected Intel, ARM and AMD chips on any device and both types of malware were reported to be capable of operating in cloud storage environments.”
When The Fake is A Gift
Hardware fraud is not uncommon in the cryptoverse. In January 2017, some attendees of Bitcoin Conferences were given fake hardware wallets meant to steal funds that would be placed on the devices.
There has been another instance in which a hacker was able to reset a user’s password after he faked the user ID with T-Mobile, the telecom carrier the user was registered with. It was not revealed how much bitcoins that was stolen by the hacker.
Vulnerabilities do exist in hardware wallets despite the reassurances given by manufacturers. Hackers are also working hard at using phishing techniques to steal passwords and private keys.
Karl Kreder Ph.D wrote in a blog post that there are a number of vulnerabilities that can affect hardware wallets:
Man in the Middle Attack
This is an attack which according to Kreder is possible with cold storage devices that display 8 digits of the wallet address whenever the user sends funds. According to him, there are services such as vante.com which could hack the devices at the cost of $800.
Another possibility of man in the middle attack is from resellers who actually tamper with the device. This is the reason why you must make sure that you purchase your hardware wallets from authorized sources such as Trezor and Ledger stores.
A British lost $34,000, his life’s savings, after storing his coins in a wallet that the seller already tampered with by inserting theirs. According to the victim,
“I have not used my Ledger in a week. Today I decided to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not accessed my Ledger in a week.”
User Device Firmware Upgrade
This is a vulnerability that occurs when the wallet is updated by the prompting of the manufacturer.
According to CT,
“Wallets like Ledger and Trezor can be vulnerable when being upgraded via a USB port. This option is often allowed by a manufacturer with the help of so-called USB Device Firmware Upgrade (DFU). As reported, the market has already seen successful attempts to use DFU to remotely dump the memory of the STM32F family of microcontrollers.”
Some of the hazards the hardware owner faces at this time is the possibility of theft of private keys and having malicious actors flash the device through the introduction of malware.
Ordinarily when a hardware wallet falls into wrong hands, manufacturers reset the device after three unsuccessful attempts at logging in.
“It has been shown by Cryptotronix developers that Trezor STM32F205 could be glitched by using both Vcc and clock glitching attacks. As a result, the device becomes vulnerable and private keys can be obtained by a third party without needing to know the pin”
the CT report said.
Vulnerabilities Arising from Supply Chain
Supply Chain Vulnerability occurs when the device is tampered with after it has been sent to the buyer by the manufacturer. The device is protected by a holographic seal which may be removed and flashed with a malicious version of the software.
When the holographic seal is reapplied, the buyer may not know that the new software in the hardware wallet is meant to steal their cryptocurrency.
It is possible to spy on a device using the phone camera of the owner. This is why storage of recovery phrases and passwords can be the weak link in securing cryptocurrencies.
As expected, the community reaction was mixed as there are people that harangued Trezor for relying on holographic seal for security while there are others that feel that the company has not done enough to secure their devices.
Some commentators gave suggestions to the manufacturer on how to improve the security of the device. Some who have bought the fake version also narrated their experiences.
“I can confirm. I bought 2 on Amazon several months ago, and they have the wrong holographic seal. Never opened them.”
— Brooke (@bitcoinmom) November 19, 2018.
Fraudsters Are Interested in $220 Million Market
It really is not surprising that people are willing to fake products in a market worth $220 million. That the fake product is substantially cheaper than the original will be enough incentive to attract buyers.
Unfortunately, it will also be an easy path to losing their cryptocurrencies to fraudsters. Experts are recommending vigilance while purchasing hardware wallets. A Trezor official wrote:
“Hello Rahul, the main differences are the hologram and barcode on the back of the box. The fake Trezor could be using our firmware, so it is best not to use it. The safest is to buy Trezor from our official shop or resellers.”
They also advise owning more than one hardware wallet to diversify risks. The manufacturers have been advised to use legal means to stop the cloning of these devices.