OKX + OneKey: Five-Dollar Wrench Attack? An Overview of Risks in Crypto Physical Devices
Author: OneKey Security Team, OKX Web3 Wallet Security Team
Real Cases of Device Risks from Several Users
Case 1: Tampered Hardware Wallet
User A purchased a hardware wallet from an unauthorized platform and began using it without verification. In reality, the wallet’s firmware had been tampered with, pre-generating multiple sets of mnemonic phrases. Eventually, the crypto assets stored in the hardware wallet were fully controlled by hackers, resulting in significant losses.
Preventive Measures: 1) Users should purchase hardware wallets from official or trusted channels whenever possible. 2) Perform a complete official verification process before using the wallet to ensure firmware security.
Case 2: Phishing Attack
User B received an email from the “Wallet Security Center” stating that there was a security issue with the user’s wallet and requesting the user to enter the wallet’s recovery phrase for a security update. In reality, this was a carefully crafted phishing attack, and the user ultimately lost all assets.
Preventive Measures: 1) Users should never enter private keys or recovery phrases on any unverified websites. 2) Use the hardware wallet’s screen to verify all transaction and operation information.
Case 3: Software Security
User C downloaded malicious software from an unverified source. When the user performed wallet operations, the malicious logic in the software led to asset loss.
Preventive Measures: 1) Users should download software from official channels and regularly update related software and firmware. 2) Use antivirus software and firewalls to protect your device.
Commonly Used Physical Devices and Facilities by Users and Their Risk Types
Currently, the physical devices most commonly used by users include:
1. Computers (desktops and laptops): Used to access decentralized applications (dApps), manage cryptocurrency wallets, participate in blockchain networks, etc.
2. Smartphones and tablets: Used for mobile access to dApps, managing crypto wallets, and conducting transactions.
3. Hardware wallets: Specialized devices (such as Ledger, Trezor) used to securely store cryptocurrency private keys and prevent hacker attacks.
4. Network infrastructure: Routers, switches, firewalls, etc., to ensure stable and secure network connections.
5. Node devices: Devices running blockchain node software (which can be personal computers or dedicated servers) to participate in network consensus and data validation.
6. Cold storage devices: Devices used for offline storage of private keys, such as USB drives, paper wallets, etc., to prevent online attacks.
Potential Risks of Current Physical Devices
1. Physical Device Risks
● Device loss or damage: Loss or damage to hardware wallets or computers may result in the loss of private keys, making it impossible to access crypto assets.
● Physical intrusion: Unauthorized physical access to devices, directly obtaining private keys or sensitive information.
2. Network Security Risks
● Malware and viruses: Attacks on user devices through malware to steal private keys or sensitive information.
● Phishing attacks: Deceptive attempts to trick users into providing private keys or login credentials by posing as legitimate services.
● Man-in-the-middle (MITM) attacks: Intercepting and tampering with communication between users and the blockchain network.
3. User Behavior Risks
● Social engineering attacks: Deceiving users through social engineering to disclose private keys or other sensitive information.
● Operational errors: User mistakes during transactions or asset management that may lead to asset loss.
4. Technical Risks
● Software vulnerabilities: Exploitation of vulnerabilities in dApps, crypto wallets, or blockchain protocols by hackers.
● Smart contract vulnerabilities: Flaws in smart contract code that could lead to theft of funds.
5. Regulatory and Legal Risks
● Legal compliance: Different regulatory policies on cryptocurrencies and blockchain technology across countries and regions may affect the security and freedom of users’ assets and transactions.
● Regulatory changes: Sudden policy changes that may result in asset freezes or transaction restrictions.
Are Hardware Wallets Essential for Private Key Security? Types of Private Key Security Measures
Hardware wallets store private keys in a separate, offline device, preventing them from being stolen by network attacks, malware, or other online threats. Compared to software wallets and other forms of storage, hardware wallets offer higher security, especially for users who need to protect large amounts of crypto assets. Private key security measures can be approached from the following perspectives:
1. Using Secure Storage Devices: Choose reliable hardware wallets or other cold storage devices to reduce the risk of private keys being stolen by network attacks.
2. Establishing Comprehensive Security Awareness Education: Enhance awareness and protection of private key security. Be cautious of any webpage or program requiring private key input. When copying and pasting private keys, consider copying only part of the key and manually entering the remaining characters to prevent clipboard attacks.
3. Secure Storage of Mnemonic Phrases and Private Keys: Avoid taking photos, screenshots, or recording mnemonic phrases online. Instead, write them down on paper and store them in a safe place.
4. Separate Storage of Private Keys: Divide private keys into multiple parts and store them in different locations to reduce the risk of single points of failure.
Current Vulnerabilities in Authentication and Access Control
1. Weak Passwords and Password Reuse: Users often use simple, easy-to-guess passwords or reuse the same password across multiple services, increasing the risk of passwords being brute-forced or obtained through other leak channels.
2. Insufficient Multi-Factor Authentication (MFA): While MFA in Web2 can significantly enhance security, in Web3, once a private key is leaked, the attacker gains full control over the account, making it difficult to establish an effective MFA mechanism.
3. Phishing Attacks and Social Engineering: Attackers deceive users into disclosing sensitive information through phishing emails, fake websites, and other means. Web3-specific phishing sites are becoming more organized and service-oriented, making it easy for users to fall victim without sufficient security awareness.
4. Improper API Key Management: Developers might hard-code API keys into client applications or fail to implement proper permission controls and expiration management, leading to keys being misused if leaked.
How Can Users Prevent Risks from Emerging Virtual Technologies like AI Deepfakes?
1. AI Forgery Risks: There are many AI deepfake detection products available. The industry has proposed several methods to automatically detect fake videos, focusing on unique elements (fingerprints) generated by deepfakes in digital content. Users can also identify deepfakes by carefully observing facial features, edge processing, and audio-visual synchronization. Microsoft has released tools to educate users on identifying deepfakes, which users can learn to strengthen their recognition skills.
2.Data and Privacy Risks: The use of large models in various fields brings risks to user data and privacy. When interacting with chatbots, users should protect personal privacy information, avoid directly entering sensitive information like private keys, API keys, or passwords, and use substitution and obfuscation methods to hide sensitive information. Developers can utilize GitHub’s friendly detection tools, which flag risks if OpenAI API keys or other sensitive information are found in code submissions.
3. Content Generation Abuse Risks: To mitigate the risks of misinformation and intellectual property issues caused by content generation abuse, some products can detect whether text content is AI-generated. Developers should ensure the correctness and security of code generated by large models, especially for sensitive or open-source code, by thoroughly reviewing and auditing it.
4. Daily Vigilance and Learning: Users should consciously evaluate and identify content when browsing short videos, long videos, and articles. They should be aware of common signs of AI forgery or AI-generated content, such as typical male and female narration voices, pronunciation errors, and common deepfake videos. In critical scenarios, users should consciously assess and recognize these risks.
Professional Recommendations for Physical Device Security
For users involved with physical devices including hardware wallets, commonly used computers, and smartphones, we recommend enhancing security awareness through the following measures:
1. Hardware Wallets:
● Use Reputable Brands: Choose hardware wallets from well-known brands and purchase them from official channels.
● Isolated Environment: Generate and store private keys in an isolated environment to minimize exposure to potential threats.
● Secure Storage: Store private keys in fireproof, waterproof, and theft-resistant mediums. Consider using fireproof and waterproof safes. For added security, distribute the storage of private keys or mnemonic phrases across different secure locations.
2. Electronic Devices:
● High-Security Brands: Use smartphones and computers with good security and privacy features, such as those from Apple.
● Minimal Applications: Install minimal and necessary software to maintain a clean system environment.
● Multi-Device Backup: Use Apple’s identity management system for multi-device backups to avoid single-device failure.
3. Daily Use:
● Public Awareness: Avoid performing sensitive wallet operations in public places to prevent recording leaks from cameras.
● Regular Scans: Use reliable antivirus software to regularly scan the device environment for threats.
● Periodic Checks: Regularly check the reliability of the physical storage location for your devices.
Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish