I've come across the idea that using air gapped devices for cold storage is one of the best ways to keep your bitcoin safe from malware, phishing, and keyloggers targeting your private keys. Sounds pretty solid, but I’ve got some questions.
Are we really sure there’s no malware that can target QR codes? I mean, sending the PSBT to the offline device via QR code seems risky.
Also, I've seen instances where malware can infect SD cards. If you keep reusing the same SD card, isn't that a potential issue?
That's what’s making me skeptical.
Air gapped devices: the safest option for cold storage
11 replies 515 views
Firstly there is no one that say there is no malware on QR code, most malwares coming from QR codes are actually either from the software that it was generated from (thats why generating your QR code using third party apps is total wrong) or the device that scans the QR code is infected such that it changes the address scanned from the code, and its reason why you need to actually verify the transaction yet again.
But there are devices which actually gives you the QR code directly for your watch only wallet to derive and example is the Electrum wallet.
Yes an SD card can be infected if you actually installed it into a corrupted online device thats why if it is SD card youre using use it with an adapter such that you lock and make it a read only or use a USB with read only switch too.
But QR code still stands out if not generated by third party
If the device used to create PSBT QR code is infected, theoretically the malware could replace the PSBT QR with their own PSBT which send Bitcoin to their address.
On Linux, you also can mount external storage as read-only and disallow any running executable from it.
john.cobraHero Member
Posts: 408 · Reputation: 2145
#4Aug 21, 2024, 09:43 PM
There is no setup that is completely bulletproof, so we probably cannot say that an air-gapped wallet is a 100% safe way of storing private keys and performing transactions. Honestly, I've always been curious about the possibility of hackers successfully attacking an air-gapped device through QR codes or even an SD card, but I think the chances of that happening are very small if the user knows where such threats come from.
In other words, if someone has a habit of using pirated software, downloading multimedia from the internet and visiting suspicious websites, it is very likely that they will pick up something malicious, especially if they do not have any security software. Even then, most ordinary hardware wallets or air-gapped devices will be of great help to any careful user to recognize that something is not as it should be.
Therefore, I would conclude that there is no better protection than using an air-gapped wallet with, of course, all the security measures that go along with it.
silentchainHero Member
Posts: 473 · Reputation: 2317
#5Aug 22, 2024, 01:22 AM
If malware is already sitting on your device then malicious QR may instruct it to do some bad actions.
If your device is clean then you are safe simply because any QR can not contain malware itself because on any existing standarts QR code is far too small to accomodate any meaningful executable.
For instance, size of QR subjected to ISO/IEC 18004:
~3K of bytes is far too little to be taken seriously by malware developers.
paul.stakeHero Member
Posts: 651 · Reputation: 3798
#6Aug 22, 2024, 04:37 AM
Your airgapped device will decode the QR code and read a PSBT. It will then show the PSBT to the hardware screen, so that you, manually, confirm it spends the correct inputs to the correct outputs. No, it cannot do anything malicious, considering the hardware device is not compromised and you verified the image that was installed in your airgapped device.
In this case, i agree with you. But in different scenario where the device of QR scanner have internet access, 3KB is enough to either
1. Add link to phishing website.
2. Include script which download another bigger malicious script. But this require the QR scanner have security vulnerability to execute data of scanner QR code.
Think of it this way, when you choose your wallet type you are eliminating vulnerabilities based on your choices. That way you narrow down all the ways you can lose your coins so that the remaining ways are no longer plausible. Then you can that "secure".
For example when you choose an open source wallet compared to closed source, you are eliminating the possibility of running a possible malicious code that you are not aware of. It's the same with using air-gap device, you are eliminating possibility of easy access to your keys. Other that that, there will always be ways to gain access to your coins! Sometimes they are theoretical and crazy methods like the ones categorized as side-channel attacks (eg. measuring electromagnetic emission while your CPU is performing cryptographic computation).
You see if you start thinking about all these theoretical ways like through QR code, you would be stepping into a rabbit hole that you may not want to enter...
If people want to store and secure their coins on an air-gap device, they must keep that device as air-gap forever. Because if they connect that device with the Internet, just one time, it will be no longer an airgap device and there will be risk of compromisation on that device which in turn can steal their coins stored in wallets on that device.
satoshi_degenFull Member
Posts: 40 · Reputation: 375
#10Aug 22, 2024, 04:30 PM
Links or scripts would need to be opened/executed to do any harm.
Of course a QR code app shouldn't to that automatically, if security is important.
Air-gapped device is not 100% safe. In general, nothing is 100% safe or guaranteed. An air-gapped device has a risk of side-channel attacks. An air-gapped hardware wallet or a device leaks information physically (acoustic signature of the processing for example can be measured too), which means that an attracker with the right equipment can hack it. The thing is, a random, average person is not under such a threat and sleep without worrying.
silentchainHero Member
Posts: 473 · Reputation: 2317
#12Aug 25, 2024, 07:59 AM
acoustic signature for QR code? Thats completely new to me.
I understand that QR code workflow is more about network isolation than true shield for all threats as attacks can still come from compromised companion apps or even from the supply chain. But the idea of acoustic signature coming from QR code really puzzled me. Could you elaborate a bit more on what you meant and how its relevant? Pertaining links would be appreciated.
In return Ill share good article thats definitely worth reading: SoK: Design, Vulnerabilities, and Security Measures of Cryptocurrency Wallets.