52 sats \ 1 reply \ @0xIlmari 9 Aug \ on: ‘Dark Skippy’ method can steal Bitcoin hardware wallet keys bitdevs
This exploit is worth keeping at the back of your head, but it's overly sensationalist.
The way you fall for this starts with updating the firmware in your wallet to a malicious version. This could be the wallet manufacturer going rogue or getting hacked or your computer infected and replacing a downloaded file.
You then sign a transaction with the wallet but the attacker's code emdeds your private key in the transaction in a way that only he can detect (by monitoring incoming transactions). He then sweeps away your funds.
There are multiple lines of defense:
- Make a big deal of updating the firmware. Never update automatically (if your wallet has this functionality). Don't do it immediately after release, wait a few weeks, it's not that important, in most cases. Be especially careful if it seems like the manufacturer is rushing people to update because of a "critical security fix". Triple check firmware checksums (in multiple independent places), write everything down, don't rely on your computer entirely. Even build the firmware from source yourself, if that's possible (ColdCard and Trezor).
- There are ways for software wallets to detect and flag some of these attempts before broadcasting. I imagine more and more wallets will start including these features.
This was the explanation I was looking for!!! Thank you so much!!!
I am getting the same kinda update vibe with this as I do with my iPhone. Let Apple roll out its update and then wait for them to fix all the bugs that always seem to happen. I would assume if you get your hardware wallet from a reputable company first land like Ledger and do all the updates through them that addresses the most of it. Along with honestly keeping your computer secure as well!
reply