Why Multisignature Is Important For Cold Storage
Recent security vulnerability concerns with Ledger and Trezor wallets are less of an issue in a multisig setup
Ledger Issue
In case you missed it, Ledger's controversial firmware update, version 2.2.1 introduced a recovery feature called "Recover." The update raised concerns within the community because it allowed Ledger to back up seed phrases, which are essential for security. The new feature sends the seed to a third party, split into three encrypted fragments. The community criticized the update for potentially undermining the core purpose of a hardware wallet, which is to securely store seed phrases. Additionally, the firmware update required Know Your Customer (KYC) registration, which goes against the privacy ethos of the community. Ledger's historical security breaches also fueled mistrust among users. Ledger had a major security lapse in July 2020, where the physical addresses of 270,000 Ledger owners were stolen. The incident impacted user confidence in the company. Ledger has also been criticized for its lack of transparency, as the firmware code is not open source, leading to doubts and conspiracy theories about its functionality and security.
In Ledger’s support page, they go into a bit more detail, emphasizing that the new Recover feature is “opt in” only (paid service) and is subject to the same security protocol as signing a Bitcoin transaction:
The same principle is applied in the context of Ledger Recover: only you can access the backup for your Secret Recovery Phrase.
If you subscribe to the service, your Secret Recovery Phrase will be fragmented into three pieces, with each part being sent end-to-end encrypted between your Ledger device and the backup providers' secure Hardware Security Module (HSMs).
The backup can only be created after you have approved it directly on your Ledger device, just as you would when signing a secure transaction—anything to do with your private keys can only happen with your confirmation through your Ledger device.
Access to these fragments is restricted by your identity, ensuring that only you can unlock it. The security and cryptography protocol enabling this feature has been designed at Ledger, battle-tested by a team of world-class security experts at Donjon, and validated by a third-party security laboratory.
Ledger Recover is an optional subscription service, which needs to be manually enabled by you. If you believe you don't need the service, you can continue using your Ledger device just like you did before.
If you choose to pay for a subscription, you're still the only one with access to your Secret Recovery Phrase, and you will also have a backup that will be created and accessible only to you. You remain the only one able to pass the identity verification check that is required to fetch back the encrypted fragments and rebuild your Secret Recovery Phrase into another Ledger device—should you need to do so in the future.
In a response to this issue, Ledger's chief technology officer, Charles Guillemet, clarified that Ledger's operating system (OS) requires user consent whenever a private key is accessed and that the OS cannot copy the private key without user approval. However, he acknowledged the need for trust when using a Ledger wallet. Guillemet emphasized that Ledger's firmware is an open platform, allowing third-party apps, but they are thoroughly evaluated for security flaws. He also highlighted the importance of trust and transparency in the realm of crypto wallets and mentioned the theoretical possibility of Ledger changing its OS dishonestly.
Because of all the noise, Ledger later announced that they would delay the private key recovery service and also accelerate their open source initiative since that has also been a major criticism.
If you want more detail on this, check out friend of the show Pleb Underground on YouTube for some good coverage.
Trezor Issue
An article published by CoinDesk last week reported on claims made by Unciphered, a cybersecurity company specializing in recovering lost or stolen cryptocurrency. Unciphered states that they have found a way to physically hack into the Trezor T hardware wallet using an "unpatchable hardware vulnerability." They demonstrate their ability to hack into a Trezor T wallet and retrieve the seed phrase and pin. Trezor acknowledges the attack but mentions that they do not have enough details to respond fully. They suggest that the attack resembles an "RDP downgrade attack" flagged as a risk three years ago. Trezor highlights that a strong passphrase can provide an additional layer of security against such attacks. Unciphered claims that Trezor is aware of the vulnerability but has not taken sufficient steps to address it. From what I have read, it does require the hacker to have physical possession of your hardware device and also some fairly sophisticated computer equipment, software and knowledge to hack the device passcode and ultimately extract your private key.
Back in August 2017, a Trezor blog post addressed concerns about firmware version 1.5.2 of the TREZOR hardware wallet. At the time there was a vulnerability in previous versions of the firmware but Trezor emphasized that it has been fixed in version 1.5.2. It urged users to update their devices to the latest firmware and stated that there are no known vulnerabilities affecting firmware 1.5.2. The article also debunked some general claims made about TREZOR's security and clarified that the described attack vector was patched in the mentioned firmware update.
So regardless which device you use, security vulnerabilities are always a possibility. There are other Bitcoin only hardware wallets on the market today (i.e. Coldcard, Jade) that can potentially provide better security.
Many people in the Bitcoin community like the Coldcard and here are some of the features, including the most recent features added in the new Mk4:
Mk4 Highlights
USB-C connector
Unlimited memory: no Bitcoin transaction size restrictions!
Expanded multisig capabilities: handle bigger, more complex transactions.
NFC-V compatible: tap to transmit all data types, including PSBTs, addresses, and XPUBs.
Protective sliding cover shields screen and keypad when not in use.
Two Secure Elements for even more security:
Many new and extensive duress PIN options (Trick PINs)
Two Secure Elements, two manufacturers; minimizes unknown vulnerability risks.
USB Virtual Disk Mode: emulates a 4MB disk when connected to macOS, Windows, iPhone, etc.
Tougher case: upgraded with new plastic and cleaner edges.
Faster processor and substantially higher memory capacity.
Here’s a summary of Blockstream Jade features (from their website), which I thought was interesting, especially the price comparison:
Regardless of how good or secure your hardware wallet is, there’s always the chance that your device can somehow be compromised, not to mention lost or stolen. This is why you should always store your hardware wallet and seed phrase securely and in separate physical locations. If you really want to be safe, you can split your seed phrase up (called “sharding”) and store each shard in a separate physical location. This would require you to retrieve each shard to reassemble the seed phrase in order for you to use it again. If you lose the hardware wallet you can use the seed phrase in a new hardware wallet to restore your access and move the coins to another wallet.
Why You Need Multisignature Setup
A multisignature (multisig) security setup can help enhance the security of your Bitcoin by requiring multiple signatures (or keys) to authorize transactions. It provides an additional layer of protection in the event that one of your keys is compromised or there are security vulnerabilities present. Here's how it works:
Multiple Keys: With a multisig setup, you generate multiple private keys, typically distributed among different individuals or entities. For example, you might have three keys, with two of them required to authorize a transaction.
Required Signatures: In order to spend or move your Bitcoin, a predetermined number of signatures (usually a threshold) is required. For example, if you have a 2-of-3 multisig setup, at least two out of the three keys need to sign off on a transaction.
Increased Security: By distributing the keys and requiring multiple signatures, a multisig setup mitigates the risk of a single point of failure. Even if one key is compromised or a security vulnerability affects one key, an attacker would still need to compromise an additional key to gain control over the Bitcoin.
Protection Against Insider Threats: Multisig setups also provide protection against insider threats, where a person or entity with access to a single key tries to misuse it. With multisig, collusion or malicious intent by one party alone is not sufficient to authorize transactions.
Flexibility and Customization: Multisig setups offer flexibility in determining the number of required signatures and the distribution of keys. You can choose different configurations based on your security needs and risk tolerance. For example, you can have 2-of-3, 3-of-5, or even higher threshold setups.
Using multisig (2 of 3) with a collaborative custody provider is a good option since they are available to help you setup your multisig security and can assist with recovering your coins if one of your keys becomes unusable for any reason (they would hold the third key and you would hold two). Many collaborative custody providers also provide other helpful Bitcoin financial services, including Bitcoin purchases direct into cold storage, loans collateralized by your Bitcoin, key management support, estate planning support, etc. I use Unchained myself and have been really happy with their services.
Obviously, multisig in collaborative custody can protect you against a thief or other individual malicious actor. If the state wanted your coins, there is a scenario where they could compel the collaborative custodian to use their key plus another one of your keys they were able to compromise (perhaps through commandeering private key shards stored online along the lines of the concerns around Ledger) to move your coins. This seems like a low probability event if you have a Ledger and didn’t opt in to their Recovery program, but still something to be aware of. If you’re really worried, you can switch your Ledger to a Coldcard or Jade in your collaborative custody model or just do your own multisig setup without the collaborative custodian. There are always tradeoffs when considering security, so it’s best to understand your options, experiment with different setups and find what works best for you (see link below to an article I wrote a few months back if you are interested):
Not financial or legal advice, for entertainment only, do your own homework. I hope you find this post useful as you chart your personal financial course and Build a Bitcoin Fortress in 2023. To see all my books on investing and leadership, click here.
Always remember: freedom, health and positivity!
Please also check out my Building a Financial Fortress Podcast on YouTube here and on all your favorite streaming platforms. I do a weekly Bitcoin news update every week on current items of interest to the Bitcoin community, usually 30 to 60 minutes depending on the number of topics to cover. Please check it out if you haven’t already. Also now on Fountain, where you can earn Bitcoin just for listening to your favorite podcasts.
Great breakdown! I'm looking into Unchained now, thank you for the suggestion. Another cold storage option is Foundation Devices. I just got my hardware wallet from them last week, and so far, I like what I see. I'm going to be reviewing it next week.
Great article. Just reminds me how important multi-sig is. Thanks for sharing.