Does anyone happen to have a way to dumb this down? From what I understand this somehow would affect even those with hardware wallets and maybe even cold storage? I just dont get how cold wallets are vulnerable?
33 sats \ 6 replies \ @Satosora 9 Aug
There is no way a cold wallet could be compromised, unless you give out the private key.
Even a computer hacking it would take next to forever to crack it.
reply
122 sats \ 5 replies \ @ek 9 Aug
Cold wallets can be compromised through malicious firmware. This is what Dark Skippy is about: malicious firmware leaking private key information via signatures.
reply
28 sats \ 2 replies \ @Satosora 9 Aug
Okay, I am a bit old school here.
When you were talking about cold wallets, I thought you were talking about the ancient paper wallets.
I see where this is going, with the new electronic cold wallets.
reply
30 sats \ 1 reply \ @ek 9 Aug
If you want to move funds on your cold or paper wallet, you still need a signing device. Afaik, a hardware wallet is the closest thing to a cold wallet that can do that.
But you're right, I didn't distinguish between hardware wallets and cold wallets. Sorry for that.
reply
0 sats \ 0 replies \ @Satosora 9 Aug
No, its okay.
If you do use the hardware wallets, you have to be careful of many things.
But people using them generally dont download malicious hardware.
I would think they would be more secure than that.
reply
20 sats \ 1 reply \ @Cje95 OP 9 Aug
So lets say I have a Ledger and I do all my updates through its platform that in theory should protect me from this right?
reply
0 sats \ 0 replies \ @Satosora 10 Aug
Actually, it says it needs at least two transactions, so if you only but the bitcoin in your wallet, you should still be safe.
reply
53 sats \ 1 reply \ @ek 9 Aug
Is the subtitle not enough?
reply
0 sats \ 0 replies \ @Cje95 OP 9 Aug
Because of their offline nature I was confused. I understood a Ledger or Tezer as something that when you unplugged it and there was no power and no connection it was safe. Obviously that was a super basic summary but hence why I was asking people who would have a much better understanding than me!
reply
52 sats \ 1 reply \ @0xIlmari 9 Aug
This exploit is worth keeping at the back of your head, but it's overly sensationalist.
The way you fall for this starts with updating the firmware in your wallet to a malicious version. This could be the wallet manufacturer going rogue or getting hacked or your computer infected and replacing a downloaded file.
You then sign a transaction with the wallet but the attacker's code emdeds your private key in the transaction in a way that only he can detect (by monitoring incoming transactions). He then sweeps away your funds.
There are multiple lines of defense:
- Make a big deal of updating the firmware. Never update automatically (if your wallet has this functionality). Don't do it immediately after release, wait a few weeks, it's not that important, in most cases. Be especially careful if it seems like the manufacturer is rushing people to update because of a "critical security fix". Triple check firmware checksums (in multiple independent places), write everything down, don't rely on your computer entirely. Even build the firmware from source yourself, if that's possible (ColdCard and Trezor).
- There are ways for software wallets to detect and flag some of these attempts before broadcasting. I imagine more and more wallets will start including these features.
reply
0 sats \ 0 replies \ @Cje95 OP 9 Aug
This was the explanation I was looking for!!! Thank you so much!!!
I am getting the same kinda update vibe with this as I do with my iPhone. Let Apple roll out its update and then wait for them to fix all the bugs that always seem to happen. I would assume if you get your hardware wallet from a reputable company first land like Ledger and do all the updates through them that addresses the most of it. Along with honestly keeping your computer secure as well!
reply
0 sats \ 1 reply \ @JesseJames 9 Aug
You clicked on the unknown file attachment in your email from unknown user and got infected with the virus. Same here, malicious firmware update on your hardware wallet.
Bottom line, don't download $hit you don't know...lol
reply
0 sats \ 0 replies \ @Cje95 OP 9 Aug
Thank you I wasn't trying to reinvent the wheel with this question I was just bamboozled
reply