Our Blog and Media Coverage

5 Common Cold Wallet Myths (or: Why There’s No Real Cold Wallet Out There)

There seems to be some heated debate in the blockchain world between cold and hot wallets. Cold wallets are thought to be more secure but require processing any transaction manually, while hot wallets enable high-frequency automatic transactions but are less secure. The main argument for using cold storage wallets is that they generate private keys on their own. Cold wallets also claim to enable signing on transactions and managing crypto assets without being connected to the internet, keeping users’ private keys outside the reach of hackers.

Sounds like a pretty good argument, doesn’t it? There’s just one problem with it: it’s simply not true. Here’s why: in order to make a cryptocurrency transaction, the user must obtain a string of auto-generated data created by the blockchain. This random string is mandatory in validating the signed transaction. Without this valid signature, the miner will simply disregard and void the transaction.

Your private key may be stored in an underground atomic shelter, guarded 24/7 by ex-Navy Seals; but the moment you want to buy, sell or move around Bitcoin, Ethereum, or any other digital currency – you need to go online and connect your cold wallet to the internet. Once you’re connected to a PC network, you’re vulnerable to attacks.

Why? Because a skilled hacker knows how to creatively find attack vectors on virtually any machine connected to the internet. Sure, it might take him time and effort, but the general rule of thumb is that on average it takes an investment of ~$1M to hack a single PC. Once hackers set their sights on a PC with a cold wallet plugged into it – they will find a way to hack it. Since any transaction on the blockchain is irreversible, once hackers take over your local environment, they can use your private key to create a transaction and drain your account and digital assets in minutes.

But wait – what about the new generation of cold wallets vaults that claim to be “air-gapped”? It’s time to bust some myths and common misconceptions about some of the most popular cold wallets in the market:

“I’m using a sophisticated HSM with its own secured hardware. Hackers can’t reach me.”

HSMs are an effective way to keep your private keys physically secure. So yes, if your Bitcoins are just lying there offline, you’re safe. But an HSM can’t possibly validate blockchain transactions on its own. It simply responds to commands coming from the network. What this means, is that hackers don’t need to break into the HSM itself (a serious challenge). All they need is to compromise the PC or server hosting the HSM (a much more attainable task). The moment you buy, sell or transfer cryptocurrency from your PC, hackers can intercept this transaction and steal your funds.

“I plugged in my Trezor for just a couple of minutes to pay someone in Bitcoins and took it out immediately once I was done. What can possibly happen in 5 minutes?”

Hackers have clever ways of tracking storage devices connected to the internet. Your thumb-drive is a particularly vulnerable endpoint for them. A skilled hacker will be able to take control of the PC you’re connected to and steal your private keys in the short duration that your thumb-drive is connected. What’s worse, you won’t even know you’re hacked. The hacker can easily change the thumb-drive mini display (to show the original transaction you planned to make) while actually funneling your digital assets elsewhere. Bottom line: there’s no “safe period” to be plugged in. Once you’re online, you’re a target.

“My cold wallet requires simultaneous multi-approvals to run a transaction. There’s no way I can be hacked.”

Well, we’ve got some bad news for you: hackers don’t need to hack two PCs at the same time in order to hijack a transaction. Once a hacker breaks into your PC, he has all the time in the world to quietly follow your movements and learn about your network. It can be done by a malicious code running at the background (doing nothing) but waiting for the command to attack. Once the hacker manages to possess the second PC in the co-approval process, the malicious code will send an automatic notification that it’s time to attack and execute the co-signing transaction. This can happen years after the initial breach took place, but just like a predator quietly ambushing its pray – when the right moment comes, the hacker makes a swift painful attack, when you least expect it.

“I’m not connecting anything to my PC to make a transaction.”

Sure, going wireless feels like a smart thing to do. Transactions can be made today by scanning a QR code or using Bluetooth transmission, Wi-Fi, or NFC technology. But let’s not kid ourselves: it really doesn’t matter if you’re going online using an ‘old-school’ LAN cable or a state-of-the art wireless connection. In both cases, a bidirectional connection is established between your cold wallet and an internet-connected PC. At that same moment you become visible to hackers, and your ‘cold wallet turns red hot’.

OK, so is there any way of making a blockchain transaction while keeping my private keys in cold storage?

GK8 offers a solution that is truly out of the reach of hackers. A patented, air-gapped vault that is the only cold wallet in the market able to broadcast transactions directly to the blockchain. It utilizes  unidirectional connectivity that enables data to travel from the vault to the blockchain, never in. Unlike all the other cold wallets out there (which, as we’ve seen – are not really cold…) GK8’s vault is always off the grid and therefore eliminates all the attack vectors that hackers can use to breach into network PCs.

In fact, we put our vault to the ultimate test: we offered a bounty for anyone who managed to hack into it, inviting hackers all over the world to take their chances. We’ve even published the address of our office (where the vault was placed), so hackers could attempt to take control of our local network (which is the cybersecurity equivalent of jumping blindfolded into a cage filled with hungry Great Whites…). Thousands of hackers, from all over the world, took a bite at the challenge. None succeeded!

So, next time you hear promises about a new “unhackable” cold wallet, remember this: no cold wallet is really cold if it requires internet connectivity to run a blockchain transaction.