Firmware is the backbone of any hardware wallet, managing security and functionality. Some wallets feature updatable firmware, allowing for improvements and new features, while others use non-updatable firmware to eliminate the risk of malicious updates.
However, updatable firmware has significant disadvantages related to security and trust. In this article, we’ll break down the potential risks of updating a wallet's firmware and help you choose the right hardware wallet for your needs.
Why an updatable firmware is a security risk
From supply chain attacks to unauthorized modifications, updatable firmware can compromise a wallet’s security, putting users' funds at risk. We’ll explore the key reasons why updatable firmware is considered a vulnerability rather than an advantage.
Insider attacks A malicious insider in the company (e.g., a developer with access to firmware code) could intentionally embed a backdoor or vulnerability into the update. This could be done for personal gain, political reasons, or under external pressure.
Social engineering Attackers might use social engineering methods to trick company employees into modifying the code or granting access to the update systems.
Employee coercion In some countries, laws or regulators might require a company to implement remote access or firmware control capabilities by threatening key employees. Employees could also face direct pressure from hackers, criminal groups, or even state actors to introduce backdoors or vulnerabilities.
Lack of quality control If the development and testing process for updates is not rigorous enough, random errors might go unnoticed. These errors can become vulnerabilities that attackers could exploit.
No independent audit for each version Firmware auditing is a process of reviewing source code, architecture, and development methods by an independent party not affiliated with the device manufacturer. The goal of the audit is to: identify vulnerabilities, verify the absence of backdoors, and evaluate the quality of cryptographic algorithms. Audits also ensure the firmware complies with industry security standards.
Companies that produce updatable firmware often release new versions with minor fixes or features. Conducting audits for each update requires significant time and financial resources, which may not be feasible for most companies. As a result, updates may be released without prior testing by independent experts.
Without independent validation, users cannot be sure the new version is free from backdoors or critical bugs. Updates can contain errors that make the device vulnerable to attacks, for example, due to improperly implemented cryptography or vulnerabilities in data processing and storage.
Real cases of updatable firmware as security risks
Over the years, several incidents have demonstrated the risks associated with firmware updates, affecting user funds in several wallets.
Ledger (2020): In 2020, a vulnerability was discovered in Ledger hardware wallets related to transaction processing for Bitcoin-derived cryptocurrencies such as Litecoin and Dogecoin. This vulnerability allowed attackers to create transactions that, according to the user, sent altcoins while, in fact, the funds were deducted in Bitcoin. Source.
OneKey (2023): In early 2023, white-hat hackers discovered a vulnerability in the firmware of the OneKey wallet that allowed it to be hacked in one second. The OneKey team promptly fixed the vulnerability and stated that no users were affected. Source.
Advantages of fixed (non-updatable) firmware
Non-updatable firmware in hardware wallets offers distinct advantages, primarily related to increased security and user trust:
No risk of interference Once the device is released, the firmware is fixed and cannot be changed. This eliminates the possibility of hidden backdoors being introduced by the manufacturer or attackers. It also minimizes the risk of new vulnerabilities appearing since the code remains unchanged.
No forced updates Unlike updatable firmware, the manufacturer cannot compel users to install potentially dangerous updates.
One-time audit Independent experts can review and certify the firmware before the device is released, ensuring users' confidence in its reliability. Fixed firmware builds additional trust, as the audit is conducted once, and users know the code will not change.
Verification of firmware integrity Some hardware wallet manufacturers allow users to independently verify the authenticity of the firmware and confirm its compliance with the versions that passed independent audits. This increases trust in the device and provides additional protection for users’ funds.
In conclusion, while firmware updateability offers flexibility, the security risks and trust concerns often outweigh the benefits. Fixed firmware, coupled with thorough independent audits, provides a robust alternative for ensuring the long-term safety of user funds.
