Better Keep Cash in Your Boots - Hardware Wallets are the New Single Point of Failure

ABSTRACTHardware wallets are currently considered the most secure way to manage cryptocurrency keys and sign transactions. However, previous publications show that such tokens can be replaced or manipulated in a number of hard-to-detect ways pre- or post-delivery to the user and that implemented (remote) attestation and authenticity checks fail their purpose for multiple reasons. We analyzed the architecture of current products by examining their initialization procedure and attestation methods. Unlike previous publications, we found that tightened attestation and communications encryption will not solve the fundamental architectural flaws sustainably. We conclude that the architecture of current-generation cryptocurrency hardware wallets missed the opportunity for a resilient design by copying the PC's wallet architecture and thus merely shifting the single point of trust from the PC to the hardware wallet. We advocate a mutually verified architecture through changes to BIP32/BIP44 wallet architectures to incorporate collaborative signatures and key generation. This way, neither a compromised wallet nor a compromised PC can meaningfully manipulate keys or transactions.