Hardware wallets are the top-notch solution to keep cryptocurrencies and NFTs safe and sound. The devices are designed to provide a secure environment that is immune to remote access by any attacker. Therefore, most influencers, the broader media, and crypto communities recommend using a hardware wallet. Especially beginners are being told to use them to store their crypto. This is only sound advice given the fact that crypto worth billions of dollars got lost since the inception of Bitcoin.

However, a report from Kaspersky raises the question if hardware wallets are more vulnerable than we all thought. 

Supply chain attacks

Make no mistake, it is not easy to crack a hardware wallet, if possible. In the last 6 years, several reports showed that hardware wallets from different manufacturers suffer from vulnerabilities. The good news is that all these attack vectors don’t matter in the wild. The wallets got cracked, but it needs a lab and a lot of time to exploit them. This is something a hacker who is looking to steal crypto typically doesn’t have. Physical access, industry-grade equipment, and a lot of time.

However, there is one valid attack vector because it provides the criminals with all three mentioned components. In a supply chain attack, the hacker delivers manipulated devices to the victim. The attacker buys a device on the open market and starts working on it. Once finished, the attacker can offer that device on the secondary market to his victims.

This is why crypto enthusiasts are told to buy their devices directly from the manufacturer or a certified reseller. They usually make sure that the device is delivered temper-proof. However, should the package arrive broken, the manufacturer or reseller will usually provide a new device and check on the other if it got hacked.

Kaspersky is late to the party

Yesterday, Kaspersky raised the alarm on hardware wallets from the manufacturer Trezor. Apparently, the security company found a device that was professionally manipulated. In this case, the attacker opened the casing, replaced parts of the chipset, and reprogrammed the wallet.

According to the report, this allowed the hacker to know the private key before they were generated by the victim. Once enough crypto is compounded on the wallet, the criminals can decide to withdraw the funds, with the victim being totally unaware and helpless against the attack.

The good news is that Trezor said that the device is likely from an unauthorized Russian reseller who tried to trick people in 2022. According to Trezor, no other cases were reported involving a supply chain attack. Instead, Kaspersky found an old device and created a lot of buzz.

However, it is always recommended to stay vigilant and follow security advice on how to store crypto safely. Suppose you like to dig deeper into this topic. In that case, we recommend reading our articles about password security, how to take self-custody, and how to set up a Bitcoin wallet. You also check out the introduction to account security and all the other great educational material we have prepared.  

Featured image: ©  Nataly Gejdos / Shutterstock.com