Question about DIY airgapped solutions

19 replies 216 views
nonce_chadFull Member
Posts: 25 · Reputation: 260
#1Dec 18, 2017, 07:14 PM
Some folks think that just copying and pasting addresses is the way to go, while others argue that using QR codes for addresses is way safer. Since many prefer using tail OS or building their own airgapped setups, I'm curious how you all go about scanning QR codes? I feel like the real risk comes from scanning random QR codes you find online instead of just sticking to Bitcoin wallet addresses or those from reliable exchanges. For anyone who's not a fan of copy-pasting because they think it's risky, can they still use tail OS? Or is there a DIY method to scan QR codes without needing to copy and paste?
6 Reply Quote Share
dave.n0deMember
Posts: 10 · Reputation: 87
#2Dec 18, 2017, 07:52 PM
Anyone is safe. The important thing is if you are able to verify that the address that you scan is correct and that there's no malware in your device that switched the address to a scammers own. Some hardware wallet can still scan QR code and it does not make them to not be safe it will not be safe if you cannot verify that the address that you are sending to is correct.
4 Reply Quote Share
quantumbearHero Member
Posts: 411 · Reputation: 2212
#3Dec 19, 2017, 12:08 AM
Just make sure that after you copy and paste the address, that the address copied did not change to another address. Even if you used QR code and camera instead, make sure the addresses did not change. You should still be able to use QR code and camera on tails OS with zbar-tools package, according to what I found about it. But I do not think it is necessary if it is about bitcoin addresses.
2 Reply Quote Share
greg.guruFull Member
Posts: 109 · Reputation: 510
#4Dec 19, 2017, 02:33 AM
Agreed. It always needs a manual check no matter the method of insterting the address. It's our safety and funds after all.
3 Reply Quote Share
silentchainHero Member
Posts: 473 · Reputation: 2317
#5Dec 19, 2017, 04:03 AM
The silver bullet approach is to build your own QR scanner based on  Raspberry Pi. One relevant DIY project is shown here, and I'm sure there are dozens of similar examples available online, justgoogle. After scanning  QR code with your own device, you can compare its output with the reading shown by the scanner on the device you normally use, such as your smartphone or computer.
4 Reply Quote Share
lonegasFull Member
Posts: 59 · Reputation: 271
#6Dec 19, 2017, 05:55 AM
Never thought there are projects like that ready to be adjusted and used. Thanks for sharing
4 Reply Quote Share
ryanaltFull Member
Posts: 80 · Reputation: 402
#7Dec 19, 2017, 07:00 AM
Safer or safest, if you practice it rightly, you will keep your wallet and bitcoin safe. How to lose your Bitcoins with CTRL-C CTRL-V. You already asked about QR code and scanning QR codes. What could go wrong scanning QR codes. How to Install Tails OS on USB flash drive for Wallet Purpose. QR code can be created from your wallet and you will use it on another device to sign the transaction. Like this with Electrum wallet. Creating a cold storage wallet in Electrum. QR code is at the right corner.
1 Reply Quote Share
degen_satoshiFull Member
Posts: 88 · Reputation: 441
#8Dec 20, 2017, 01:10 AM
Manual check the address everytime. Checking the address is where you get the ✅ checked mark. Because all QR Code does is getting the address in one go for you, makes it easier and faster, that's all. Scamming doesn't mean it's safest, and also be careful around easier options, this is one of them, thinking scanning means reliable. It's possible that QR code has a wrong address, or fake address, if you can it you end up with the fake address still, so scanning address or copy pasting shouldn't be a reason why anyone wouldn't want to use crypto wallets on Tail OS or others.
3 Reply Quote Share
alexwalletSenior Member
Posts: 347 · Reputation: 1933
#9Dec 20, 2017, 03:01 PM
A QR code is a visual format that cannot be read by humans. Without a reference to the Bitcoin address represented, if your scanner is corrupted or fraudulent, you won't realize the address isn't what it should be. All of the above methods have the equal inherent risks; if you don't like copy-paste and are still unsure about scanning a QR code, use drag-and-drop(*) or type it in manually. *) https://en.wikipedia.org/wiki/Drag_and_drop
6 Reply Quote Share
cobra_2015Full Member
Posts: 259 · Reputation: 728
#10Dec 21, 2017, 11:27 AM
It is easily to build a QR Code Reader using Arduino & QR Scanner Module which is costing less than $30 or Raspberry Pi with a camera module or convert an old phone into a QR Scanner (after deleting the parts that connect to the internet). standard QR code (V40) data capacity is 3K, which is less than what is required for some signatures, so a microSD card is necessary.
2 Reply Quote Share
leo.wolfHero Member
Posts: 540 · Reputation: 2813
#11Dec 21, 2017, 01:06 PM
It’s possible if you’re using your tails OS with wallet like electrum that supports webcams this way you just scan address from the other device, even PSBTs are signed from tail OS using QR codes, so address scanning wouldn’t be any problem. Personally I even rate high QR code scanning as safer than even copy and paste or using usb when it’s an airgapped wallet. for verification though you can do that manually, normally it’s actually possible that a flawed QR code can be contain wrong addresses and that’s why even platforms that gives you the QR code to sign have address written below it, so you simply manually verified the address after scanning.  Scanning with QR code doesn’t mean the transaction easily goes through like that, the recipient address is just automatically filled with that address and you can still edit it. So it’s best to manually verify the address
0 Reply Quote Share
coin_sigmaLegendary
Posts: 1275 · Reputation: 5553
#12Dec 21, 2017, 06:34 PM
I don't think there is a safest for both of them because you are still susceptible to online attacks if you use this on an online device. Similar to copying and pasting a Bitcoin address and sending it to the incorrect address, some people scan the QR code and send a Bitcoin to the incorrect address. You can only be safe if you have a separate watch-only wallet online and a cold storage wallet on separate devices. As previously mentioned, if you know how to double-check the transaction when importing it to your Electrum offline wallet before signing it, using Electrum to scan a QR code or copying and pasting the raw hash are both safe. The crucial step is to confirm the transaction in an offline Electrum; it should display a preview of the transaction with your address and the recipient's address. If you don't check this part, there's a chance you could send your BTC to the wrong address even if it is safe on an offline device. So always double-check before signing a transaction.
4 Reply Quote Share
bull_2019Senior Member
Posts: 296 · Reputation: 1992
#13Dec 21, 2017, 08:55 PM
Basically, if you’re using both methods in cold storage.. you still need to verify  the details from your offline device just like everyone already mentioned. To me, it’s same.. unless the flash drive itself isn’t really a flash drive but most people will argue QR code is better which is true anyway, you can can’t trust anything from a device / wallet used on the device that connects to the internet . The unsigned txn is also coming from same source.. remember ? Use both offline wallet and  watch only wallet that supports using of qrcode for what you need. You can use Electrum. Electrum comes with tails, all you have to do is verify .
1 Reply Quote Share
yield_hawkSenior Member
Posts: 197 · Reputation: 1334
#14Dec 23, 2017, 01:56 PM
Yes, you are right, there are known history issues on QR code. QR code malware QR Code replacement scam Security News This Week: US Energy Firm Targeted With Malicious QR Codes in Mass Phishing Attack You can look at this option for you: https://github.com/mchehab/zbar. In any case, due diligence is needed.
4 Reply Quote Share
Posts: 43 · Reputation: 245
#15Dec 25, 2017, 06:46 PM
Use either copy paste or QR code to make sure you are sending crypto to the correct address. It is not easy for many people to type every letter of the address perfectly. Copy and paste is a safer way to send crypto to the desired wallet.
4 Reply Quote Share
greglaserFull Member
Posts: 180 · Reputation: 542
#16Dec 25, 2017, 08:09 PM
HeatBit had another topic that was created before this topic about QR code and issues with it. There are both discussions and recommendations for him about resources to learn more about QR code, this phishing type and how to avoid this scam. Phishing is a famous scam type and if QR codes are used, it's called as Quishing. What could go wrong scanning QR codes.
2 Reply Quote Share
dave.falconFull Member
Posts: 163 · Reputation: 447
#17Dec 26, 2017, 12:01 AM
Forum friends have submitted the solution, try verifying the authenticity of the scanned "QR code", or verifying the "copied/pasted" address. Because, the copied/pasted address could be changed (due to hacking), and so could the QR code. Furthermore, QR codes can also be manipulated by directing potential victims to fake websites (to scam), a method called "Quishing", and the process of manipulation (or fraudulent method) in paste is called "paste jacking". Therefore, try to be vigilant in every activity you do in crypto, especially when making Bitcoin transactions. You don't need to rush into transactions; take the time to verify them, which only takes a short time. Reference : cloudflare.com - What is quishing? Additionally, I also recommend you to “disable” clipboard history, and preferably avoid “Sync across devices”.
1 Reply Quote Share
boss_wizardSenior Member
Posts: 270 · Reputation: 1192
#18Dec 26, 2017, 04:44 AM
Copy and paste is safe if you don't have malware and recheck the address. The hackers won't be able to make address that is 90% similar. In the case that you really want a QR code, just build scanner by yourself. When you are building one, you need to watch out for the supply chain attack and cherry pick library to use. Or simply clone existing git repo and let claude inspect it. For the danger you mentioned, maybe just don't scan any QR code you found online. Or if you insist, use some throwaway devices to scan it first and make sure its safe. Tons of people loses their money scanning random QR code that trigger an app to send money to scammers' addresses but I haven't seen one with crypto.
3 Reply Quote Share
leo51Senior Member
Posts: 194 · Reputation: 1171
#19Dec 26, 2017, 11:07 AM
It is not necessary for tail OS to have a camera so that it can scan a QR code, many people will be fine with copy and pasting bitcoin addresses. All you have to do is make sure you look at the address very well before sending the coins, the most important thing here is keeping your private key safe so that you don't lose your Bitcoin. Which one will you choose? Losing your coins or you not been able to scan QR codes? It makes no sense sorry to say, at the end of everything what matters is keeping your coins alive for many years to come, not if you can scan QR codes or not.
4 Reply Quote Share
paul_maxiSenior Member
Posts: 156 · Reputation: 896
#20Dec 26, 2017, 05:21 PM
What do you mean how... we just point the camera to them, and than confirm address or link visually. There is DIY signing devices like SeedSigner and Krux that have integrated cameras for scanning so you can use them. They are based on raspberry pi and similar small devices, and parts can be purchased anywhere and than assembled. TailsOS is just a portable linux operating system, it has nothing to do with QR codes.
1 Reply Quote Share

Related topics