‘Dark Skippy’ method can steal Bitcoin hardware wallet keys \ stacker news ~bitdevs

‘Dark Skippy’ method can steal Bitcoin hardware wallet keys cointelegraph.com/news/dark-skippy-method-can-steal-bitcoin-hardware-wallet-keys

196 sats \ 13 comments \ @Cje95 9 Aug bitdevs

Does anyone happen to have a way to dumb this down? From what I understand this somehow would affect even those with hardware wallets and maybe even cold storage? I just dont get how cold wallets are vulnerable?

view all related items

33 sats \ 6 replies \ @Satosora 9 Aug

There is no way a cold wallet could be compromised, unless you give out the private key. Even a computer hacking it would take next to forever to crack it.

122 sats \ 5 replies \ @ek 9 Aug

Cold wallets can be compromised through malicious firmware. This is what Dark Skippy is about: malicious firmware leaking private key information via signatures.

28 sats \ 2 replies \ @Satosora 9 Aug

Okay, I am a bit old school here. When you were talking about cold wallets, I thought you were talking about the ancient paper wallets. I see where this is going, with the new electronic cold wallets.

30 sats \ 1 reply \ @ek 9 Aug

If you want to move funds on your cold or paper wallet, you still need a signing device. Afaik, a hardware wallet is the closest thing to a cold wallet that can do that.

But you're right, I didn't distinguish between hardware wallets and cold wallets. Sorry for that.

0 sats \ 0 replies \ @Satosora 9 Aug

No, its okay. If you do use the hardware wallets, you have to be careful of many things. But people using them generally dont download malicious hardware. I would think they would be more secure than that.

20 sats \ 1 reply \ @Cje95 OP 9 Aug

So lets say I have a Ledger and I do all my updates through its platform that in theory should protect me from this right?

0 sats \ 0 replies \ @Satosora 10 Aug

Actually, it says it needs at least two transactions, so if you only but the bitcoin in your wallet, you should still be safe.

53 sats \ 1 reply \ @ek 9 Aug

I just dont get how cold wallets are vulnerable?

Is the subtitle not enough?

Malicious firmware can embed secret data into a public Bitcoin transaction, which the attacker can then use to extract a person’s seed words.

0 sats \ 0 replies \ @Cje95 OP 9 Aug

Because of their offline nature I was confused. I understood a Ledger or Tezer as something that when you unplugged it and there was no power and no connection it was safe. Obviously that was a super basic summary but hence why I was asking people who would have a much better understanding than me!

52 sats \ 1 reply \ @0xIlmari 9 Aug

This exploit is worth keeping at the back of your head, but it's overly sensationalist.

The way you fall for this starts with updating the firmware in your wallet to a malicious version. This could be the wallet manufacturer going rogue or getting hacked or your computer infected and replacing a downloaded file.

You then sign a transaction with the wallet but the attacker's code emdeds your private key in the transaction in a way that only he can detect (by monitoring incoming transactions). He then sweeps away your funds.

There are multiple lines of defense:

Make a big deal of updating the firmware. Never update automatically (if your wallet has this functionality). Don't do it immediately after release, wait a few weeks, it's not that important, in most cases. Be especially careful if it seems like the manufacturer is rushing people to update because of a "critical security fix". Triple check firmware checksums (in multiple independent places), write everything down, don't rely on your computer entirely. Even build the firmware from source yourself, if that's possible (ColdCard and Trezor).
There are ways for software wallets to detect and flag some of these attempts before broadcasting. I imagine more and more wallets will start including these features.

0 sats \ 0 replies \ @Cje95 OP 9 Aug

This was the explanation I was looking for!!! Thank you so much!!!

I am getting the same kinda update vibe with this as I do with my iPhone. Let Apple roll out its update and then wait for them to fix all the bugs that always seem to happen. I would assume if you get your hardware wallet from a reputable company first land like Ledger and do all the updates through them that addresses the most of it. Along with honestly keeping your computer secure as well!

0 sats \ 1 reply \ @JesseJames 9 Aug

You clicked on the unknown file attachment in your email from unknown user and got infected with the virus. Same here, malicious firmware update on your hardware wallet. Bottom line, don't download $hit you don't know...lol

0 sats \ 0 replies \ @Cje95 OP 9 Aug

Thank you I wasn't trying to reinvent the wheel with this question I was just bamboozled