Is an air-gapped Bitcoin hardware wallet more secure than non-air-gapped? Or is it just inconvenient security theater? A discussion of the claims of the article “Does airgap make Bitcoin Hardware wallets more secure?” (Bakkum, Shift Crypto AG, 2021-10-27) (a provider of a fine Bitcoin non-airgapped hardware wallet: BitBox02).
- part 1
- part 2
- part 3
- part 4
- part 5 ☜ you are here
Summary: Useful reminder that threats to all hardware wallets exist; but no support at all for claim that air-gap provides “little-to-no added security”, and is full of unwarranted scary FUD besides…
And now, the thrilling conclusion: Given the claim that air-gap provides “little-to-no added security” does the offense’s claim hold water?
No. I’m not sure who believed the strawman that air-gapped security was “unbeatable” - but once you get past that “debunking” the article doesn’t support the claim. Few - even none of the attacks claimed are specific to air-gapped hardware wallets - they all affect all wallets. Claims of particular flaws in moving data from a computer to an air-gapped wallet over a storage channel or optical channel are all exaggerated, while similar or more serious problems that affect USB-connect wallets are downplayed or entirely omitted from the discussion. The result is one-sided, and unconvincing. In fact, given the scary Stuxnet example which isn’t even relevant, and the also scary SD Card “attack” which isn’t at all practical, plus the long list of completely impractical attacks on general air-gapped computers thrown in for … more scare? … this article seems heavy on the FUD and light on the premise. I think they could have done a better job outlining the strengths and weaknesses of all hardware wallets, and have good claims for the superiority of their particular approach to a USB-connected wallet, without resorting to these exaggerations and weak - if not actually false - claims. A better argument would serve the entire community, especially those who are new to cryptocurrency and looking for reliable solid information they can be confident in.
As always, consider your own personal threat model when evaluating any of these claims. Are you worried about physical loss of your private keys (e.g., due to fire or tornado)? Are you worried about passing the keys securely to a trusted agent should you become disabled, or to your heirs when that’s beyond your control? Are you worried about opportunistic hackers? Theft from your home? Your ne’er-do-well uncle rifling the drawers in your house, looking for loose change and the odd hardware wallet? Are you worried that your wallet software or hardware provider is going to go out of business? Or has already been subverted by a shady hidden organized crime group? Or perhaps you are worried that a nation state is going to single you out and come after your Bitcoin (but not your person) with all their considerable resources? What exactly do you want to protect against, what is your evaluation of the probability of each such threat, the cost to you if each such threat succeeds, and the cost to you of mitigating that threat? And then, choose a wallet solution and transaction process that fits your individual profile.
This blog post is derived from a conversation that took place on the SeedSigner Telegram channel. I’d like to thank the participants this morning (2021-11-06) for first, bringing the article to my attention, and then, asking questions that I could respond to. In this post I have updated my comments, made then, to account for changes in the article that have been made since.