OKX Web3 Wallet has specially planned a “Security Special Issue” column to provide answers to various types of security issues on the chain. By sharing real cases that happened to users and cooperating with security experts or organizations in the field, the column aims to strengthen user security education and help users learn to protect their private keys and wallet assets.
This article is a sponsored article written and provided by OKX, and its views are independent of Dynamic Zone.
In the world of Web3, there are two expenses that cannot be spared: one is the gas fee for on-chain transactions, and the other is the cost of buying equipment for off-chain use. But whether it’s on-chain or off-chain, security is equally important.
This is the 4th issue of the Security Special Issue, and we have invited the OneKey Security Team, an encrypted hardware wallet vendor, and the OKX Web3 Wallet Security Team to share practical guidelines on how to enhance device security.
OneKey Security Team:
OneKey was established in 2019 and is a security-focused open-source hardware and software wallet company. It has a security research lab and has received support from top institutions such as Coinbase, Ribbit Capital, and Dragonfly. Currently, OneKey hardware wallets are one of the best-selling brands in Asia.
OKX Web3 Wallet Security Team:
Hello everyone, we are very happy to share with you today. The OKX Web3 Wallet Security Team is mainly responsible for the security capabilities of OKX in the Web3 field, including wallet security, smart contract security auditing, on-chain project security monitoring, etc. We provide users with multiple protection services for product security, fund security, and transaction security, and contribute to maintaining the overall security ecosystem of the blockchain.
Q1: Can you share some real cases of device risks that users have faced?
OneKey Security Team:
Device risks faced by Web3 users have diverse characteristics, and we will share a few common examples.
Case 1: User Alice left her device unattended and it was physically accessed by someone without her knowledge, resulting in the theft of her assets. This is commonly known as an “Evil Maid Attack” in the field of computer security and is one of the most common types of device risks that users face. Attackers can be colleagues, room cleaners, or even close associates who are tempted by the user’s assets. We have previously assisted users in investigating cases of stolen assets from hardware wallets. After the user reported the case, the exchange obtained the KYC information of the attacker’s account and found out that the attacker was someone close to the user. This shows that even with various precautions, it is difficult to guard against theft within one’s own home.
Case 2: User Bob is physically threatened and forced to hand over his device that has control over his assets. This is known as the “$5 Wrench Attack” in the crypto community. In recent years, with the rise of the crypto wealth effect, cases of kidnapping and extortion targeting high-net-worth individuals have become more prevalent, especially in countries with high crime rates. In early 2023, there was a report of a robbery during an offline cryptocurrency transaction. The victim was attending an offline digital currency investor meeting and was controlled in a car after dinner. The criminals forced the victim to unlock their phone and wallet software using facial recognition, then converted the cryptocurrencies in the wallet to 4.1 million USDT and immediately transferred the funds and left. Recently, there has been a tweet circulating about a crypto mining OG who claimed to have been robbed by an international criminal organization and lost most of their accumulated crypto assets.
OKX Web3 Wallet Security Team:
Today’s topic is very important. We have previously discussed topics such as private key security, MEME trading security, and lube security, but device security is also crucial. We will share some classic cases.
Case 1: Tampered hardware wallet
User A purchased a hardware wallet from an unauthorized platform and started using it without verification. In reality, the firmware of the wallet has been tampered with and has pre-generated multiple sets of mnemonic phrases. As a result, the user’s encrypted assets stored in the hardware wallet were completely controlled by hackers, resulting in significant losses.
Preventive measures: 1) Users should try to purchase hardware wallets from official or trusted channels. 2) Before using a wallet, go through the official verification process to ensure firmware security.
Case 2: Phishing attack
User B received an email from the “Wallet Security Center” stating that there were security issues with the user’s wallet and requested the user to enter the wallet’s recovery phrase for a security update. In reality, this was a carefully designed phishing attack, and the user ended up losing all their assets.
Preventive measures: 1) Users should never enter their private keys or recovery phrases on any unverified website. 2) Use the screen of a hardware wallet to verify all transaction and operation information.
Case 3: Software security
User C downloaded malicious software from an unverified source. When the user performed wallet operations, the presence of the malicious logic in the software led to asset loss.
Preventive measures: 1) Users should download software from official channels and regularly update relevant software and firmware. 2) Use antivirus software and firewalls to protect your devices.
Q2: What are the commonly used physical devices and facilities by users and the types of risks associated with them?
OneKey Security Team:
Regarding devices related to the security of user assets, they usually include mobile phones, computers, hardware wallets, USB storage devices, and network communication devices (such as Wi-Fi). In addition to the “Evil Maid Attack” and the “$5 Wrench Attack” we mentioned earlier, there are a few other aspects to pay special attention to.
1. Social engineering and phishing attacks:
Social engineering and phishing attacks are currently very common and effective attack methods. Attackers exploit human weaknesses to deceive users into performing dangerous operations. For example, they may send emails, messages, or social media notifications containing malicious links or attachments, disguising themselves as trusted sources such as bank notifications or social media platforms. Once users click on these links or download attachments, malicious software is implanted into their devices, resulting in remote intrusion.
Another example is impersonating technical support personnel. Attackers may pretend to be technical support personnel and contact users via phone or email, claiming that their devices have problems that need immediate action. They may induce users to provide remote access to their devices or disclose sensitive information. Currently, on Twitter, if you mention terms related to cryptocurrencies, there will soon be a swarm of bots pretending to provide technical support “services” to you.
2. Supply chain attacks:
Supply chain attacks refer to malicious implants by attackers during the production or transportation process of devices. It can be manifested in the following three ways:
– Hardware tampering: Attackers may implant malicious software during the production process of hardware wallets or USB storage devices. For example, if users purchase devices from unreliable sources, they may receive tampered devices that are preloaded with malicious software capable of stealing information or allowing remote access.
– Software tampering: Attackers may carry out attacks in the software supply chain, tampering with software or firmware update packages. When users download and install these updates, their devices may be implanted with backdoors or other types of malicious code.
– Logistic attacks: During the transportation process of devices, attackers may intercept and tamper with them. For example, during delivery, hardware devices may be replaced or tampered with to facilitate subsequent attacks.
3. Man-in-the-Middle (MITM) attacks:
MITM attacks refer to the interception and tampering of data transmission by attackers in a two-party communication. For example, when users use unencrypted network communication, attackers can easily intercept and modify the data being transmitted. This can happen when using unencrypted HTTP websites, where attackers can intercept and modify the data sent and received by users.
Another example is public Wi-Fi. When using public Wi-Fi, the user’s data transmission is more susceptible to interception by attackers. Attackers can even set up malicious public Wi-Fi hotspots, and once users connect to them, attackers can monitor and steal sensitive information such as login credentials and bank transaction records. Even home Wi-Fi can be invaded in extreme cases to install malicious software.
4. Insider attacks and software vulnerabilities:
Insider attacks and software vulnerabilities are risks that are difficult for users to control but have a significant impact on physical device security.
The most common are software and hardware security vulnerabilities. Attackers can exploit these vulnerabilities to carry out remote attacks or physical attacks. For example, certain extensions or applications may have undiscovered vulnerabilities that attackers can exploit to gain control of the devices. This can usually be resolved by keeping the software up to date. At the same time, hardware should consider using the latest encryption chips.
There are also internal activities by software personnel: Internal personnel of software developers or service providers may abuse their access privileges to engage in malicious activities, such as stealing user data or implanting malicious code in the software. Alternatively, external factors may lead to malicious activities.
For example, there was a case where the “Lube Studio” had their assets stolen due to the use of a fingerprint browser that allowed multiple instances. This was likely caused by internal misconduct related to the software or extension. This shows that even legitimate software can pose a threat to user asset security if its internal controls are not strict.
Another example is Ledger’s incident that caused panic – many dapps were using the Connect Kit which had issues. The attack was caused by a former employee falling victim to a phishing attack, and the attacker inserted malicious code into the Connect Kit’s GitHub repository. Fortunately, Ledger’s security team deployed a fix within 40 minutes of being notified of the issue, and Tether froze the attacker’s USDT funds in time.
To be continued…OneKey 安全團隊:
AI 換臉等新興虛擬技術的出現,確實給用戶的個人隱私和資訊安全帶來了新的挑戰。為了預防這些風險,用戶可以考慮以下措施:
1)保護個人資訊:盡量減少在網路上公開個人信息的程度,特別是敏感信息。不要輕易回答陌生人的問題,避免在社交媒體上公開家庭和個人生活的細節。
2)加強網路安全意識:提高對釣魚攻擊和社會工程學的警惕性,識別和避免點擊可疑連結、下載不明應用和打開來路不明的郵件附件。
3)定期更新安全軟體:確保電腦和手機上的安全軟體(如防毒軟體、防駭軟體)和應用程式保持最新狀態,及時修補漏洞。
4)加強帳戶安全:使用強密碼,並定期更換密碼。啟用多因素身份驗證(MFA),如短信驗證碼、指紋識別等,增加帳戶的安全性。
5)注意相關法律和規定:了解和遵守相關的隱私保護法律和規定,保護自己的合法權益。
OKX Web3 錢包安全團隊:
AI 換臉等新興虛擬技術的風險是不可忽視的。為了預防這些風險,用戶可以考慮以下預防措施:
1)提高安全意識:了解和學習有關虛擬技術的最新資訊,保持對新興技術風險的警覺性。
2)保護個人資訊:嚴格控制個人資訊的分享和公開,避免將敏感信息提供給不可信的平臺和第三方。
3)審慎使用虛擬技術:在使用虛擬技術時,盡量選擇可信賴的平臺和應用程式,確保其安全性和隱私保護措施。
4)定期更新軟體:確保使用的軟體和應用程式保持最新版本,及時修補漏洞和安全風險。
5)加強帳戶安全:使用強密碼,並定期更換密碼。啟用多因素身份驗證(MFA),增加帳戶的安全性。
6)監控和報告風險:如果發現任何虛擬技術的安全風險或異常行爲,應及時監控、報告和處理。OneKey Security Team:
At the 2015 BlackHat conference, global hackers unanimously agreed that facial recognition technology is the most unreliable method of identity authentication. Nearly a decade later, with advancements in AI technology, we now have near-perfect “magic” to replace facial recognition, proving that ordinary visual facial recognition can no longer provide security guarantees. Therefore, it is more important for identification parties to upgrade algorithmic technology for identification and prevention of deepfake content.
Regarding the risks of AI face swapping, there isn’t much users can do apart from protecting their own biometric data privacy. Here are some small suggestions:
1) Be cautious when using facial recognition applications. Users should choose applications with good security records and privacy policies. Avoid using applications from unknown or dubious sources and regularly update software to ensure the use of the latest security patches. In the past, many small loan company apps in China violated user’s facial data for resale, resulting in the leakage of user’s facial data.
2) Understand multi-factor authentication (MFA). Single biometric authentication carries greater risks, so combining multiple authentication methods can significantly improve security. MFA combines various verification methods such as fingerprints, iris scans, voice recognition, and even DNA data. For identification parties, this combination of authentication methods can provide an additional layer of security when one authentication method is compromised. For users, protecting their own privacy data in this aspect is equally important.
3) Maintain skepticism and beware of fraud. Obviously, with the ability of AI to imitate faces and voices, impersonating someone online has become much simpler. Users should be particularly cautious of requests involving sensitive information or fund transfers, utilizing two-factor authentication, and confirming the identity of the other party through phone or face-to-face verification. Stay vigilant, do not easily believe in urgent requests, and be aware of common scam methods such as impersonating executives, acquaintances, or customer service. Nowadays, there are also many impersonations of celebrities, so caution is necessary when participating in certain projects to avoid “fake platforms.”
OKX Web3 Wallet Security Team:
In general, emerging virtual technologies bring new risks, which in turn lead to the research of new defense methods, and the research of new defense methods brings forth new risk control products.
1) AI deepfake risk. In the realm of AI face swapping, there are already many AI deepfake detection products available. The industry has put forward several methods to automatically detect fake videos, focusing on detecting unique elements (fingerprints) generated by the use of deepfake in digital content. Users can also identify AI face swapping through careful observation of facial features, edge processing, asynchronous audio, and video, etc. In addition, Microsoft has also launched a series of tools to educate users on deepfake recognition, allowing users to learn and enhance their own recognition abilities.
2) Data and privacy risks. The application of large-scale models in various fields also brings risks to user data and privacy. In the use of conversational bots, users should pay attention to the protection of personal privacy information and avoid direct input of key information such as private keys, keys, passwords, etc. Instead, it is recommended to use alternatives, obfuscation, and other methods to conceal key information. For developers, Github provides a series of friendly detection methods. If the submitted code contains OpenAI apikeys or other privacy leaks, the corresponding push will report an error.
3) Content generation abuse risk. In daily work, users may encounter many results of content generated by large-scale models. Although this content is effective, the misuse of content generation also brings false information and copyright issues. Some products have emerged to detect whether text content is generated by large-scale models, which can reduce corresponding risks. In addition, when developers use code generation of large-scale models, they should pay attention to the correctness and security of the generated code. For sensitive or open-source code, thorough review and audit are necessary.
4) Daily attention and learning. When users browse short videos, long videos, and various articles in their daily lives, it is important to consciously judge and recognize possible AI fakes or AI-generated content. Recognize common signs such as commentary voiceovers, incorrect pronunciations, and common face-swapping videos. In critical situations, consciously judge and recognize these risks.
Q6: From a professional perspective, please share some recommendations for physical device security.
OneKey Security Team:
Based on the various risks mentioned above, we summarize the protective measures as follows:
1) Guard against the invasion risks of connected devices. In our daily lives, connected devices are ubiquitous, but they also bring potential invasion risks. To protect our high-risk data (such as private keys, passwords, MFA backup codes), we should use strong encryption methods and choose storage methods that isolate the network as much as possible, avoiding storing sensitive information directly in plain text on devices. In addition, we need to always remain vigilant against phishing and trojan attacks. Consider using dedicated devices for cryptographic asset operations separate from other general-purpose devices to reduce the risk of attacks. For example, we can separate the use of laptops for daily use and hardware wallets for managing cryptographic assets. In this way, even if one device is attacked, the other device remains secure.
2) Maintain physical monitoring and protection. To further ensure the security of our high-risk devices (such as hardware wallets), we need to implement strict physical monitoring and protection measures. These devices at home should be stored in high-standard safes equipped with comprehensive smart security systems, including video surveillance and automatic alarm functions. If we need to travel, it is important to choose hotels with secure storage facilities. Many high-end hotels provide dedicated secure storage services, which provide additional protection for our devices. Additionally, we can consider carrying portable safes to ensure the protection of our important devices in any situation.
3) Reduce exposure risks and prevent single points of failure. Distributing devices and assets is a key strategy for reducing risks. We should not store all high-privilege devices and cryptographic assets in one place or one wallet, but instead consider storing them in secure locations in different geographical locations. For example, we can store some devices and assets at home, in the office, and with trusted relatives. Furthermore, using multiple hot wallets and hardware cold wallets is an effective method. Each wallet can store a portion of the assets, reducing the risk of a single point of failure. To increase security, we can also use multi-signature wallets that require multiple authorized signatures for transactions, significantly enhancing the security of our assets.
4) Prepare for worst-case scenarios. It is crucial to have contingency plans for potential security threats. For high-net-worth individuals, maintaining a low-profile approach is an effective strategy to avoid becoming a target. We should avoid flaunting our cryptographic assets in public and try to keep property information low-key. Additionally, it is necessary to develop emergency plans for device loss or theft. We can set up bait wallets to temporarily deal with potential robbers while ensuring that the data of important devices can be remotely locked or erased (with backups). When traveling in high-risk areas, hiring private security teams can provide additional security and using special VIP security channels and high-security hotels can ensure our safety and privacy.
OKX Web3 Wallet Security Team:
We will introduce the recommendations from two perspectives: the OKX Web3 app level and the user level.
1) OKX Web3 app level:
The OKX Web3 wallet employs various measures to reinforce the app, including but not limited to algorithm obfuscation, logic obfuscation, code integrity detection, system library integrity detection, application tamper resistance, and environmental security detection. These measures minimize the probability of users being subjected to hacker attacks when using the app and also reduce the likelihood of black market actors repackaging our app.
In terms of Web3 wallet data security, we utilize state-of-the-art hardware security technology and chip-level encryption methods to encrypt sensitive data in the wallet. This encrypted data is bound to the device’s chip, making it impossible for anyone to decrypt the encrypted data if stolen.
2) User level:
Regarding the physical devices that users interact with, including hardware wallets, commonly used computers, and mobile devices, we recommend that users enhance their security awareness in the following aspects:
1) Hardware wallets: Use well-known brands of hardware wallets, purchase them from official channels, and generate and store private keys in isolated environments. The medium used to store private keys should be fireproof, waterproof, and theft-proof. It is recommended to use fireproof and waterproof safes to store private keys or mnemonic phrases in different secure locations to enhance security.
2) Electronic devices: Choose reputable brands (such as Apple) with better security and privacy features for installing software wallets on phones and computers. Minimize the installation of unnecessary applications and maintain a clean system environment. Use the Apple ID system to manage multi-device backups to avoid single-device failures.
3) Daily usage: Avoid performing sensitive wallet device operations in public places to prevent camera surveillance and recording. Regularly use reliable antivirus software to scan the device environment. Regularly check the reliability of the physical device storage location.
Finally, thank you for reading the 4th issue of the OKX Web3 Wallet “Security Special” column. We are currently preparing for the 5th issue, which will include real cases, risk identification, and practical security operations. Stay tuned!
Disclaimer: The content of this article is a promotional article provided by the contributor. The contributor has no relationship with DQ and this article does not represent the position of DQ. This article does not intend to provide any investment, asset advice, or legal opinion, nor should it be regarded as an offer to purchase, sell, or hold assets. The services, programs, or tools mentioned in this promotional article are provided for reference only, and the actual content or rules are subject to the official announcement or explanation of the contributor. DQ is not responsible for any possible risks or losses. Readers are reminded to conduct their own careful verification before making any decisions or actions.