Cardano Stay Safe Series: Learn about different wallet types, their attack vectors and how to keep your ada safe

Wallets and Their Attack Vectors

The term “wallet” is already confusing. Because your ada aren’t in your wallet on your PC. No, better think wallets would be like web browsers and your ada are somewhat like websites that you can control with the knowledge of corresponding addresses. (private keys)

I think this comes much closer to reality. Then, it’s no wonder that you can install a wallet with the same seed words on several PCs and all display the same content, because they simply query the blockchain.

There are basically 3 types of wallets: software, paper and hardware wallets. I would also like to discuss web wallets, which are, to be precise, also software wallets.

All wallets have their own attack vectors, but they have one thing in common: if someone manages to get your seed words, it’s over. Your ada will be gone. Forever.

Occasionally you will find two additional terms: cold wallet and hot wallet, which I would like to mention briefly.

A cold wallet is not connected to the internet, like a paper wallet. Daedalus can create such paper wallets.

On the other hand, a hot wallet is connected to the Internet, i.e. any software wallet such as Daedalus or Yoroi.

Hardware wallets are special types of cold wallets. Most of the time they are offline, but are connected to a computer from time to time. The secure chip on which your private key is stored, is separate from the rest of the system and always “offline”.

A proven approach is to secure a small portion of your ada in a hot wallet and most of your ada in a cold wallet. You can stake your ada from any kind of wallet, by the way. Even from a paper wallet.

Software Wallets

Software wallets, such as Daedalus or Yoroi, are the most common type. When the wallet is created, a private key is generated and encrypted using the spending password in a wallet file on the computer or smartphone.

Some people might think the spending password would additionally protect the seed words. However, this is not the case. Whoever has the seed words, does not need a spending password. It is only there to encrypt your private key on the hard disk, in case it gets stolen. For this reason, you must also enter the spending password when you send ada, delegate to a pool, or vote. The wallet has to access the private key at this moment and it can only do so, if you enter the password.

If you ever forget your spending password, you can simply delete the wallet and reinstall everything with the seed words.

Attack Vectors
Software wallets are usually attacked with malware:

Theft of Wallet File
The encrypted file can be stolen by a malicious program or by someone, who has access to the computer. In addition, an attacker must receive the spending password.

The password could be logged immediately by the malicious program. A bad password could also be “guessed” by computers if it is either very short or appears in a dictionary. (Bruteforce)

Fake Wallet
Another attack vector is, to deploy a fake wallet on the victims PC or smartphone. As soon as the user installs the wallet and enters his seed words, the fake wallet sends all ada to an address stored by the attacker.

Such false wallets appear both on the desktop and in the app stores. They copy the look of other wallets and even the name of the developer. Developer names are unique in the store, but a clever choice of characters could for example confuse “ADAtainment” with “ADAtalnment”.

Therefore you should always download wallets and updates from reliable sources and check the downloaded file with a hash afterwards.

Clipboard Hijack
Malicious programs that change the clipboard, so-called clipboard hijackers, work like this: they constantly monitor the clipboard and as soon as you copy an address, it is silently and secretly replaced with the attacker’s address. If you don’t check the address again after pasting, you’re out of luck.

“Good” malware programs have a large pool of alternative addresses and select one that is most similar to the replacement address. My tip: after inserting, check at least the first 10 and the last 10 characters of an address.

Conclusion
Daedalus and Yoroi are generally recommended without restriction, but both have their advantages and disadvantages. (Fullnode vs Lightweightnode)

Web Wallets

Web wallets are also software wallets, but I would like to treat them separately here, since you have to visit a website to use them. On the website you can either enter the seed words, load the private key via a file or connect with a hardware wallet.

Attack Vectors
Great web wallets, such as Ada Lite run almost completely “locally” in the browser and do not transfer critical data such as the private key. The biggest danger is not visiting the right website, but a malicious one. And there are plenty of ways how this could happen:

DNS-Hijacks
In order to display the information of a website, the computer must first receive the IP addresses from the readable address entered, such as adatainment.com. This is best imagined as a phone book. The address adatainment.com is the name and the IP address is the number. The computer must look in a phone book (DNS server) which number belongs to the name.

A very special part of this phonebook is the host file on the PC. There you can, for example, configure things to redirect or block pages. If someone with access to the PC or a malicious program manipulates this file, he could enter a different number for any website. As a result, when entering adatainment.com, you actually end up on a page prepared by the attacker. It can be 100% look like the real site but do malicious things.

For the sake of completeness, it should be mentioned here that changing the host file is not the only way to perform a DNS hijack. You could, among other things, also change the DNS server entry, which of course is more complex.

Change Bookmarks
This attack is very easy to carry out. A malicious program or someone with access to the PC changes the website behind the bookmark. If you click on the bookmark, you will be taken to another page. Of course there is also another address in the address bar. Therefore, for such attacks addresses are often used which are very similar to each other, e.g. adatainment.com is replaced with adatalnment.com.

Phishing Mails / Messages
You can also be redirected to a fake website by phishing emails or messages with links to a “fancy new special version”, “very important update” or other tempting things.

Other PCs
The advantage of web wallets is, that you do not need any other software. You may be inclined to use web wallets from other PCs. Don’t. You never know what the security situation of this PC is. Possibly a program that logs everything is intentionally running or perhaps the PC is already unintentionally infected with malware.

Convenience
Since you often need your private key or the seed words for a web wallet, users may be tempted to save them unencrypted in a text file on the PC. There, they can be stolen quickly.

Clipboard Hijack
As with software wallets, malicious programs that change the clipboard would also be a possible attack vector here.

Conclusion
Ada Lite is a good piece of software. Nevertheless, for the reasons mentioned, I would generally advise against web wallets. Simply because they are web pages and you end up on a wrong one way too quickly. If you use them, please only together with a hardware wallet. This way you can be sure that no critical data will be transferred.

Paper Wallets

Paper wallets, such as those created by Daedalus, are very safe in terms of ”can be hacked“. No one can hack a piece of paper, especially if it’s in a safe or a safe deposit box.

The big disadvantage is, that you can’t use your ada anymore. To your ada you would first have to import the paper wallet into Daedalus or Yoroi. As soon as a paper wallet is imported, it is no longer as secure as before, because the private key is then stored in a computer.

The principle: if you import a paper wallet, then it is no longer a cold wallet. It becomes a hot wallet and you should not use this paper wallet anymore.

Attack Vectors
Nobody can hack a piece of paper, but they can steal it. The purpose of a paper wallet is, not to store your seed words digitally. That’s why you shouldn’t save a paper wallet as a PDF, photograph it or take a screenshot of it. In some companies, all printouts are archived digitally, you should rather not printing out your paper wallet in the office.

Theft
Theft is certainly the number 1 attack vector. This includes photographing or copying the seed words.

Loss / Destruction
They can also be easily lost or destroyed by water and fire.

Malicious Generators
If you use a malicious program to create a paper wallet because you just searched Google for “Paper Wallet Generator”, you will experience the shock of your life, when you try to import the wallet again. Your ada will be gone. Forever.

By the way: just because you use a paper wallet generator “offline” does not mean that you are on the safe side. A malicious program could generate many seemingly correct addresses. But these are easily calculable by the programmer of the generator. This means that even if you use such a program on a PC, that has never been connected to the Internet before, your ada will be gone. Forever.

Daedalus is the only wallet that creates paper wallets. They can be imported either from Daedalus itself or from Yoroi.

Conclusion
Paper wallets are awesome for the long-term storage of large quantities of ada, when you have a way to store them safely.

Hardware Wallets

The nice thing about a hardware wallet is that, unlike a paper wallet, you can use it even though the private key is protected. It’s a bit like a mixture of software wallet and paper wallet.

In a hardware wallet, the private key is stored in a special chip. Through this chip the private key is isolated from the rest of the system and can’t be used directly. Once stored, it can only be used via an interface. This interface has no option to show the private key but you can sign for example transactions with it. This process is shown on the display of the hardware wallet and must be confirmed with a button on it.

You have to think of it as an armoured box with a slot at the top and bottom. At the top you throw in the desired transaction and at the bottom the signed transaction just fells out. Then it is sent to the network. This design makes the private key of a hardware wallet secure even if it is connected to a computer running some sort of malware. As long as the human being cannot be outwitted to confirm a transaction he does not want to make.

Attack Vectors
As the team of Wallet.Fail shows, hardware wallets are anything but bug-free and the attack vectors can be pretty creative. As with a paper wallet, you first need access to the device itself. It must therefore first be stolen or have already been manipulated in the supply chain / transport route to the customer.

Preconfigured Device
This brings us to the classic attack vector for hardware wallets: the wallet comes already “pre-configured”, sometimes even with a nice package insert with 24 words already occupied for recovery and a small manual. If you use such a “pre-configured” wallet, you will soon be rid of your ada. Therefore these two principles must be observed:

  1. always buy directly from the manufacturer https://www.ledger.com (Nano S, Nano X) or https://trezor.io (Trezor T)

  2. always set up a hardware wallet yourself, making a note of the seed words yourself. After setting up, you should transfer a very small number of ada and test the recovery first.

Theft
Unlike a stolen paper wallet, a hardware wallet requires you to enter a pin. If this pin is entered 3 times incorrectly, the hardware wallet will be deleted automatically. Then, it can only be restored with the seed words.

The worst case of course, if through a vulnerability in the system, the private key or the seed words can be extracted from a stolen device. Shown at TREZOR-T at the 35th Chaos Communication Congress (35C3) in December 2018. (If you have some time you should watch the whole video. There are many more attack vectors explained and it is also very entertaining.)

Clipboard Hijack
Malicious programs that alter the clipboard would also be possible here. But, since the address is also shown on the display of the hardware wallet, this attack is easier to spot.

Compromised PC
One way to attack a hardware wallet is to show the user something different (a different destination address or amount) than is actually sent to the hardware wallet. So the computer has been compromised in some way. This is exactly why hardware wallets have a display and you should always match the amount and the destination address. Only confirm the transaction if everything is fine. A hardware wallet is therefore also safe, if the computer has been compromised, as long as the human can not be outwitted.

Hardware Manipulation
Manipulating the display of the hardware wallet is not impossible, but much more complex than, for example, simply changing the clipboard of the computer or the display on the computer screen with a malicious program. The wallet has to be stolen and then put back again. Examples are shown on the website of Wallet.Fail.

Ransom Attack
Another interesting possibility to attack a hardware wallet appeared in March 2019. The ransom attack is based on the fact that a modified wallet (the PC has to be compromised already) generates a receiving address which belongs to your private key, but was chosen very randomly. To understand this, one has to know that wallets normally generate addresses from the private key via an index that starts at 0 and then increases by one: 0,1,2,3… small gaps like 4,5,15,16… are also possible.

The manipulated wallet chooses a random index in the billion range. The transaction to your address is confirmed normally in the blockchain, but does not appear in your wallet. They still belong to the private key but can only be found with the correct key index because no wallet software can detect or search such a large gap in the key index.

Some manufacturers like Ledger and TREZOR-T have already announced with firmware updates that the attack is “fixed”. But you have to understand that there is no way to fix it. For example, Ledger issues a warning if the key index is outside a very high range (over 50,000). For the attack itself, however, it is sufficient if the key index only jumps by a few thousand. The difference is: if such an attack happens, you can get back to your ada faster with a lower range. (Since one would have to try all possibilities)

Conclusion
Although a long list of attack vectors is listed here, you need direct access to the wallet or to the PC itself for all of them. With other wallets you would have already lost. If you know about the attack vectors, hardware wallets are pretty secure and offer great flexibility.

What speaks against a hardware wallet is, in any case, the price. For example, if you bought ada for 200 dollars, it is not worth spending between 60 and 120 dollars on a hardware wallet.

20 Likes

Excellent one @adatainment

2 Likes

Good health, Tomii. Very instructive post. It’s nice to read when everything is clear and without too much water set out thoughts. You are a Pro in your field. Can I count on your help to install software wallet under Linux (Alta) if you have free time.

Доброго здравия, Томии. Очень поучительны пост. Приятно читать когда все доходчиво и без лишней воды изложены мысли. Вы профи в свой области. Могу ли я рассчитывать на вашу помощь по установки программного кошелька под Linux (Alta) если у вас будет свободное время.

Thank you, installing Daedalus under Linux should be a straight forward thing, but if you run into any problems I recommend creating a new topic in https://forum.cardano.org/c/communitytechnicalsupport and awesome people like @rdlrt, who btw also manages the "Cardano Community Tech Support "-group on Telegram Telegram: Contact @CardanoCommunityTechSupport, will jump in to answer your questions.

1 Like

Thank You.

You write:

But:

In order to stake from a paper wallet, I would have to import it at least once to create the staking key registration and delegation transaction.

What is the recommended way to do this without compromising the safety of the paper wallet too much?

2 Likes

As I wrote in the text this would instantly burn the whole idea of having a paper wallet. Creating a paper wallet and then importing it again does not give you any security advantages over a regular wallet. Don’t do it. If you care about security then you should consider it as compromised.

The only good way to do this is that the wallet or software that creates the paper wallet exports the staking key at the same time. Unless I’m wrong as of today, there is no software that does it while theoretically, it is doable.

That would not be enough. In order to stake, you have to register the staking key and delegate to a stake pool, which are transactions that have to be signed by a private key belonging to that wallet. Moreover, this can only be done after there are at least a couple of Ada in that wallet, because you need the deposit, the transaction fee, and, as far as I understand that, also the minimal transaction output of 1 ADA. So, it cannot be done when creating the wallet, but has to be done later after transferring some funds to the wallet.

Question is a little academic at the moment, because Daedalus has removed the paper wallet functionality and Yoroi creates Byron paper wallets (which is a little strange) that cannot be staked, anyway. But this renders

false in more than one way.

Also: If wallet apps would allow a one-time, memory-only restore of a paper wallet, it would not be that much more insecure than creating the paper wallet on a potentially infected computer is in the first place. As you alluded to in the “do not save PDF or screenshot, do not print in the office that might archive printouts, …” paragraph, the secrets are digitally on a computer at least during creation. Malware could intercept the printout or look in the cache, where it is stored before printing, take screenshots during creation, keylog the verification, …

I could decide that it’s safe enough to then put them in memory a second time a few days later to start staking, but that would require a trustworthy enough wallet app that not only allows the generation of a Shelley paper wallet, but also restoring it temporarily, in memory only. – Creating a new wallet in Adalite, which does not store secrets on disk, anyway, and producing the paper with a couple of addresses and the (hand-written) seed myself could be an alternative, if I think Adalite is “trustworthy enough”.

Valid points. I wrote the above text at the beginning of 2019. No stake pools, no delegations and that time, mostly based on knowledge of specifications.

As far as I know, you can already separate the payment key from the delegation key via the command line today. I had never tried it but you should be able to pay transaction fees from another wallet. So the tech is there to some extend. It was planned that these delegable paper wallets would come (it still is) but the priorities have shifted here and the possibility to delegate with the hardware wallets is also no longer so urgent.

That’s why it’s good that you bring up these points here so that other people who read the text don’t wonder. Thank you.

(For anyone else reading along I would like to emphasize again that any hardware wallet offers you much more security than fiddling with these solutions yourself)

2 Likes

Oh, sorry! I should have made clearer that I saw that it is quite old.

I was looking for a nice introduction to the different wallets, because we keep explaining them to people coming here with problems over and over again.

Your text is one of the best, most comprehensive, nearly only one that popped up. So, it is much appreciated!

That sounds really interesting. Have to dig into that sometime. (There’s no real urgency. I’m using a hardware wallet myself. Like everyone?)

1 Like