5 Myths on Cold Wallets (or: Why There’s No Real Cold Wallet Out There)
- July 14, 2020
- 6 minutes read
There seems to be a heated debate in the crypto world between cold and hot wallets: cold wallets are thought to be more secure but require processing any transaction manually, while hot wallets enable high-frequency automatic transaction but are less secure. The main argument for using cold storage wallets is that they generate private keys on their own. Cold wallets also claim to enable signing on transactions and managing crypto assets without being connected to the internet, keeping users’ private keys outside the reach of hackers.
Sounds like a pretty good argument, doesn’t it? There’s just one problem with it: it’s simply not true. Here’s why: in order to make a crypto currency transaction, each user must obtain a string of auto-generated data created by the blockchain. This random string is absolutely mandatory in validating the signed transaction: Without this valid signature, the miner will simply disregard the transaction and avoid from inserting it into the blockchain.
Your private key may be stored in an underground atomic shelter and guarded 24/7 by ex-Navy Seals. But the moment you want to buy, sell or move around Bitcoins, Ethereum or any other digital currency – you need to go online and connect your cold wallet to the internet. Once you’re connected to a PC network, you’re vulnerable to attacks. Why? Because a skilled hacker knows how to creatively find attack vectors on virtually any machine connected to the internet. Sure, it might take him time and effort, but the general rule of thumb is that it takes an average investment of $1M to hack a single PC. Once hackers set their sights on a PC with a cold wallet plugged into it – they will find a way to hack it. Since any transaction to the blockchain is irreversible, once hackers take over your local environment, they can use your private key to create a transaction and drain your account from all its digital assets in minutes.
But wait – what about the new generation of cold wallets vaults that claim to be “air-gapped”? It’s time to bust some myths and common misconceptions on some of the most popular cold wallets in the market:
“I’m using a sophisticated HSM with its own secured hardware. Hackers can’t reach me”
HSMs are an effective way to keep your private keys physically secure. So yes, if your Bitcoins are just lying there, you’re safe. But an HSM can’t possibly validate blockchain transactions on its own: it simply responds to commands coming from the network it’s connected to. What this means, is that hackers don’t need to break into the HSM itself (a serious challenge): all they need is to compromise the PC hosting the HSM (a much more attainable task). The moment you buy, sell or transfer cryptocurrency from your PC, hackers can intercept this transaction and steal your funds.
“I plugged in my Trezor for just a couple of minutes to pay someone in Bitcoins and took it out immediately once I was done. What can possibly happen in 5 minutes?”
Hackers have clever ways of tracking storage devices that are being connected to the internet. Your thumb-drive is a particularly vulnerable endpoint for them. A skilled hacker will be able to take control of the PC you’re connected to and steal your private keys in the short duration that your thumb-drive is connected. What’s worse, you won’t even know you’re hacked: the hacker can easily change the thumb-drive mini display to show the original transaction you planned to make, while actually funneling your digital assets to himself. Bottom line: there’s no “safe period” to be plugged in. Once you’re online, you’re a target.
“My cold wallet requires simultaneous multi-approvals to run a transaction. There’s no way I can be hacked”
Well, we’ve got some bad news for you: hackers don’t need to hack two PCs at the same time in order to hijack the transaction. Once a hacker breaks into your PC, he has all the time in the world to quietly follow your movements and learn about your network. It can be done by a malicious code running at the background of your compromised device, doing nothing but wait for the command to attack. Once the hacker manages to possess the second PC in the co-approval process, the malicious code will send an automatic notification that it’s time to attack and execute the co-signing transaction. This can happen years after the initial breach took place, but just like a predator quietly ambushing its pray – when the right moment comes, the hacker makes a swift painful attack, when you least expect it.
“I’m not connecting anything to my PC to make a transaction”
Sure, going wireless feels like the smart thing to do: transactions can be made today by scanning a QR code or using Bluetooth transmission, Wi-Fi, or NFC technology. But let’s not kid ourselves: it really doesn’t matter if you’re going online using an old-school Lan cable or a state-of-the art wireless connection. The both cases, a bidirectional connection is established between your cold wallet and an internet-connected PC. That same moment you become visible to hackers, and your cold wallet turns red hot.
OK, so is there any way of making a blockchain transaction while keeping my private keys in cold storage?
GK8 offers a solution that is truly out of the reach of hackers: a patented air-gapped vault that is the only cold wallet in the market able to execute transactions directly to the blockchain. It’s using a unique unidirectional connection that enables data to go only out, never in. Unlike all the other cold wallets out there (which, as we’ve just seen – are not really cold…) GK8’s vault is always off the grid and therefore eliminates all the attack vectors that hackers use to breach into network PCs.
In fact, we’ve put the vault to the ultimate test: Last February we’ve offered a $250,000 bounty for anyone who manages to break into it, inviting hackers all over the world to take their chances and hack the vault. We’ve even published the physical address of our office where the vault was placed, so hackers can take over our local network (which is the cybersecurity equivalent of jumping blindfold into an undersea cage filled with hungry Great Whites…) thousands of hackers from all over the world took a bite at the challenge, none succeeded to break into our vault.
So, next time you hear lofty promises about a new “unbreakable” cold wallet, remember this: no cold wallet is really cold if it requires internet connection to run a blockchain transaction.