Safe Storage: Hacks vs. Vulnerabilities

With so many people stuck at home and tempers fraying from the stress of a global pandemic, the past months have seemed like a nonstop onslaught against cybersecurity. From the widely publicized Twitter hack to late September’s attack on Kucoin--one that quickly became the third largest theft of digital assets in history--crypto and bitcoin are back in the headlines. And aside from prices climbing, it’s largely not in a good way. 

My technical teams at Ledger faced a long year as well, with colleagues disclosing vulnerabilities and working hard to make sure they were patched thoroughly and quickly. Many have received increasingly sophisticated phishing emails, which are powerless against hardware, but insidious to distracted or uneducated users. And, over the months, we’ve come to notice that the crypto industry isn’t the only one with a reputation problem. 

Even those familiar to crypto are often party to a common misconception--that a “hack,” usually of a large exchange or database, is the same thing as a “vulnerability” in a system, such as a hardware wallet. It’s important to highlight the differences between the two terms, and their implications, especially in the days of social media and clickbait headlines that are designed specifically to evoke an emotional response. When someone gains unauthorized access to your data or funds and performs unauthorized transactions, that’s a hack. In cybersecurity, a vulnerability is a weakness that can be exploited and if undiagnosed, could potentially result in a hack or breach of security. It sounds intimidating, but vulnerabilities are actually an opportunity to improve on existing systems, a chance to learn how to make them better before any flaws can be exploited. 

Vulnerabilities can be caused by a variety of factors, not all of them hardware-related. In addition to hardware, it’s worth considering we’re looking at industry realities (potential issues caused by features of the technology such as forks), design problems (user interfaces designed in an unnecessarily complex or confusing way), or a lack of education on the part of the user.  Finally, for those with deep technical knowledge--a lot of vulnerabilities rest on what is potentially possible, not what’s likely. Some can be accessed only by security experts actively looking for them, and others can only be exploited in incredibly difficult or even impossible circumstances, ones that never happen in practice. 

As we saw with this summer’s Twitter hack, lack of education is a problem that bleeds over to the rest of the world. That hack was likely caused by social engineering, or the hackers targeting Twitter employees to gain access to privileged information. In crypto, you’re more likely to see phishing attacks, where bad actors pretend to be a trusted service provider and ask you to provide sensitive data, such as your login info to an exchange, or your 24 word recovery phrase to your hardware wallet. Unfortunately, the only way to prevent phishing scams is to be wary of them, and to educate yourself. In crypto, education goes beyond mainstream adoption--it’s a space that demands its users educate themselves. Simply put, decentralization needs education. Whether you’re just starting out or you have a deep, technical understanding of the technology, social engineering is always something to be wary of. 

The reality is that there is no unhackable system--the best way to protect ourselves is to keep trying to break our own systems, to intentionally seek out vulnerabilities in our products and improve upon our innovations. Cybersecurity, just like the rest of tech, is a nascent industry. We are constantly learning new things, learning from our mistakes, and stumbling on big discoveries. If we stopped looking for vulnerabilities, it would be like ceasing virus testing in the middle of a pandemic. Not only would we stop finding them--we’d stop being able to fix them before they could be exploited. 

Vulnerabilities found in hardware wallets do not call the security of those wallets into question. There’s a reason the safest place for your coins is still your private keys. And as our friends at Kucoin are finding out, that’s true whether you’re an exchange or an individual. While Kucoin did not suffer from an unpatched vulnerability, there was a problem with the way they chose to manage their liquidity, as well as the way they chose to educate their users about safe crypto storage. Part of what makes hardware wallets so safe is that every major cybersecurity company actively hunts for vulnerabilities and transparently works, often collaborating, to alert the ecosystem and patch the vulnerabilities--even going so far as to offer bounties to security researchers and white hat hackers. Ledger, for example, has an internal attack lab, the Donjon, that dedicates its time to hacking Ledger products, as well as those of competitors. All of this to say, despite mentions of vulnerabilities in the news and on social media, the majority of vulnerabilities are not hacks--your hardware wallet is safe, and cold storage is still the safest place to store your crypto.