Cypherock
  • Introduction
  • Design Decisions
    • The balance between security and convenience
    • Cypherock X1 Hardware architecture
      • Using ultrasonic welding for the X1 Vault enclosure
      • Encrypted NFC communication for X1 cards
      • Using Javacards instead of MicroSD
      • Choosing USB vs QR Code
      • Why the X1 cards are not upgradeable
    • Cypherock is BIP39 compliant
    • Private keys should be near to impossible to extract
    • Conflict between trusted parties should not result in unauthorized access
    • Using Shamir Secret Sharing vs. Multi-sig
      • How is Shamir Secret Sharing implemented within Cypherock X1
      • Why Cypherock has a default 2/5 threshold scheme
      • Rejected Key Schemes
    • PIN Protection on Cypherock X1
      • Difference between backing up your PIN vs. Seed Phrase
  • Security Overview
    • Introduction
    • Keylabs - Third Party Security Audit
    • Remote Attacks
    • Physical Attacks
      • $5 Wrench Attack
      • PIN Brute Force Attack
      • Evil Maid Attack
      • Flashing Malicious Firmware
      • Side Channel Attack
      • Supply Chain Attack
  • Cypherock X1 Features
    • Eliminate messy paper backups
    • Open source with secure elements
    • Use Cypherock as a seed phrase vault
    • All-in-one Portfolio Manager
  • Getting Started
    • Download cySync
    • Import Seed Phrase from existing BIP39 compatible wallet
    • Generate a new wallet with Cypherock X1
    • How Cypherock generates your 24-word seed phrase
    • Best practices in keeping your X1 cards secure
      • Use the protective card sleeves
      • Geographical Seperation
      • Choosing your guardians
    • How do I know I am not locked-in to using only Cypherock X1
    • How do I know my Cypherock X1 is genuine?
      • Email 2FA for Product Authentication
    • How to recover your Crypto assets in the case of loss or theft
    • What happens to my Cypherock X1 if Cypherock goes out of business?
Powered by GitBook
On this page
  • Malicious software as an attack vector
  • Email Authentication Notification

Was this helpful?

  1. Getting Started
  2. How do I know my Cypherock X1 is genuine?

Email 2FA for Product Authentication

The advent of cryptocurrencies and its auxiliary features such as self-custody has enabled individuals to gain freedom when it comes to the management of their money. Self-custody solutions grant the custodian financial sovereignty, but also leaves the individual exposed to various attacks that could result in a complete loss of funds. Typically, hardware wallets are known to be the safest self-custody option, but even hardware wallets tend to have vulnerabilities. This blog explores how malicious wallet companion applications can be used to steal digital assets from users.

Malicious software as an attack vector

Typically, a hardware wallet connects to a desktop or a mobile application for various operations. Cypherock X1 comes with a cySync desktop application available across Windows, Linux and Mac. The application serves as the interface for all wallet operations, and the hardware tends to be treated as a signing device. Although the application is crucial in the functioning of the hardware wallet, the default assumption is not to trust the desktop application due to its nature of being installed on an internet-connected device that could host malicious programs. A common example of an exploit carried out by malicious software is through phishing, where the attacker attaches a download link after stating that either the wallet, or the software has suffered a breach, and a new application would need to be installed which would help reset the pin on your hardware wallet, or install the appropriate updates on your wallet. Once the malicious software has been downloaded, there may be prompts to enter the seed phrase of the wallet generated to access further functionality on the desktop application. Usually, there is no way for the attacker to extract the seed phrase from the wallet itself remotely, so it tends to be disguised as a part of the user flow to help keep your wallet safe. Hence if the user enters the seed phrase into the malicious application, it is safe to assume that the funds have been compromised.

To authenticate your hardware wallets today, hardware wallet companies broadly use two types of approaches today -

  1. The secure chip inside the device authenticates the device on initialization. This is an insecure way to verify the device since the user cannot verify this on a compromised wallet.

  2. The wallet on initialization is authenticated by the server of the company and the authenticity result is displayed by the companion app with the wallet. The problem here is if the user has a malicious app which is what the original threat model of the hardware wallet is, then the malicious app can display to the user that the product is authenticated even though the response from the server was different from that.

Email Authentication Notification

To remove the reliance upon the desktop application as a singular source of truth for wallet authenticity, Cypherock has implemented an optional email-based 2FA system that also directly sends you the authenticity status of your X1 vault and X1 cards on your email. When you successfully complete a device or card authentication, you will receive an email from Cypherock with the authentication status about the same. Hence, even if the user is using a malicious desktop app, the user can double-check the authenticity result on their email. It is important though to make sure that the email the user receives is sent from the cypherock.com domain email address.

PreviousHow do I know my Cypherock X1 is genuine?NextHow to recover your Crypto assets in the case of loss or theft

Last updated 1 year ago

Was this helpful?