So you finally bought a Ledger hardware wallet to keep your precious fat Avalanche AVAX bags safe.
Congratulations! If you made the extra effort to buy a hardware wallet, it means you’re serious about self-custody and the security of your funds.
Hardware wallets make it very difficult for attackers to access your private keys without consent, but they’re not perfect. In this article I’d like to go over a “good enough” secure procedure to install Avalanche AVAX App on a Ledger hardware wallet.
Disclaimer
Having said that, let’s take a look at the basics of information security.
Nothing on this article suggests foul play by Ledger. The reason I seem paranoid is because I follow the don’t trust, verify motto. I have a background in computer science, so if something isn’t mathematically verifiable, then I assume it’s vulnerable – even if it’s an extremely secure system. The point of this article is to harden users’ perception of security and help them understand that not even a high quality hardware wallet such as a Ledger is 100% secure. Also, crypto implies serious risks. If you mess up your hardware wallet setup, you could lose all your crypto. If you aren’t absolutely confident you know exactly what you’re doing, then please use the official installation instructions provided by Ledger and your favorite wallet provider.
Hackers and three letter agencies can probably get to any private key they want – when they really want to. There is no 100% secure device. This is due to revolutionary discoveries in computer science, like the Halting Problem and Godel’s Incompleteness Theorem. No need to dive into complex CS stuff : just take my word for it that there is no perfectly secure system. All systems have flaws and the Men in Black are always watching for these flaws.
So how do you stay safe in an environment where one mistake can destroy your entire net worth? There is a concept we know as “good enough” security.
The basic idea behind securing your assets, is to make it really time consuming and expensive for a thief to steal them. That’s the core concept behind “good enough” security. For example, if you’re securing $20 dollars and it costs $50 to break the safe, then it’s not worth breaking the safe. If the robbery costs more than the loot, then there’ll likely be no robbery (as long as the thief knows in advance it’ll be really expensive to achieve his goals).
In that case, we say the funds are secured. There is “good enough” security for that purpose.
By using a hardware wallet, you make it really expensive and time consuming for average scammers to get to your funds. Thieves will have to spend lots of time and money to hack your keys, which should secure your funds.
There’s tons of good advice out there for the security-minded, so if you want to dig deeper, please search for general information security tips and secure cryptocurrency storage tips. You’ll find lots of great sites with free advice. For instance, Jameson Lopp has a nice compilation of tips for secure crypto storage and general OPSEC.
In this post, I’ll provide a super paranoid step by step guide on what’s happening at each stage of your new hardware wallet setup.
By understanding each step, with enough practice and experience, you will instinctively start to recognize the traps and avoid them before they happen. Since new security holes and exploits are found every day, the idea here is not to give you the fish, but to teach you to identify and catch the fish.
There’s tons of attack vectors everywhere you look, so this guide is by no means exhaustive. You gotta learn to recognize the patterns and then you’ll identify the security traps yourself.
LFG!
So, you bought a Ledger hardware wallet and it was just thrown into your mailbox by creepy mailman whose son is winning in his basement. Mailman immediately recognizes the French shipping notice on your package. He knows you own a Ledger.
You unbox it and find really cool colored manuals, stickers and mnemonic key backup cards packaged in fresh material-designed envelopes. Everything in a new Ledger box has that new car smell. Life is good.
Now you gotta unbox that beautiful piece of engineering to get it set up.
First thing a newb will do is thoroughly marvel at everything that comes inside the Ledger box
The virgin newb will take the stickers, place them on their car and laptop, and show them off around the neighborhood. Worse yet, will likely buy a collar and hang it around the neck and walk around town showing off the shiny unhackable new hardware wallet.
Then they’ll dispose of the shipping box containing their name and home address right on their front yard garbage can, so anyone can see where the Ledger was shipped.
Newbs will also buy the most colorful Ledger available. Fluorescent orange or bright red, so that thieves can see it from a mile away. Bonus virgin points for wearing $500 Nikes matching the Ledger color, so thieves get a new shoe along with the crypto bags.
The above is a complete OPSEC disaster – and it’s what you see in ads and social media. OG’s know not to do any of that when handling a new hardware wallet.
OG’s don’t ever let anyone know they’ve bought a wallet. They don’t let anyone know they know what a wallet is.
OG’s don’t tell their best friend, their dog, nobody.
Dogs are generally trustworthy, but by no means should your cat know you’ve bought a Ledger.
First thing you do after unboxing the hardware wallet is take the device on one hand and, using the other hand, throw everything that’s left into a grinder. Or a fireplace. Get rid of the ledger box, manuals, stickers and recovery cards until not a single print character is recognizable. You then head to the toilet throne while browsing crypto prices. Flush down the kudos and torn up wallet swag down together, never to be seen again.
If you don’t live in a junkyard and there’s no nearby grinder, you manually rip stuff up to unreadable pieces.
This sounds kinda extreme, but it’s not. Worst OPSEC you can have is hardware wallet swag lying around the house when your best friend’s extremely curious and creepy acting husband comes to visit. Thieves are bad too.
OG’s will also camo their Ledger. Make it look like a regular flash drive. Yeah the factory metal thingy is cool but it has that “steal me” vibe to it. Paint or scrape the logo off, or add a flash drive sticker to it. The less it looks like a Ledger, the safer you’ll be.
Soon as you plug your Ledger in, it’ll offer you to either configure it as a new device or recover from a mnemonic phrase
The newb will obviously choose the new device setup, because you trust the totally unaudited and unsuspicious pseudo-random number generator contained in a cheap Chinese integrated circuit with the computing power of a Casio watch from 1980. Right? You trust the private key it generates to be completely random?
Newbs also like to generate mnemonic phrases on malware infected web browsers. You know all those gaming extensions newbs like to install? The kind that can read on-screen text and capture screenshots? Also virii and general adware. Boy web browsers are virgin newb favorite.
Then the newb will write down the mnemonic phrase into the neat flourescent orange “secret” recovery key card that came with the Ledger. What could go wrong, right? No thief would ever look there. Might as well scan it and back it up on cloud storage, if you don’t mind the cloud intern taking all your crypto.
That’s not how you should set up a hardware wallet. We need extra-paranoid security.
First of all, an OG would never trust the less-than-pseudo-random number generator in a hardware wallet
Worse yet, an OG would never, ever, go anywhere close to a private key that was somehow preloaded in a hardware wallet, sheet of paper or anywhere else. Don’t trust anything given to you by the hardware wallet. Only trust what you give it.
The fact is, you simply don’t know how that mnemonic was generated and saved in your wallet.
Mnemonic phrases have got to be absolutely random for them to be secure. Cryptocurrency security depends on the fact that it is mathematically (and physically) intractable to guess your mnemonic phrase, even with a computer that tries trillions of guesses per second.
The only truly secure private key you can ever trust is generated by a true random number generator. These can’t be implemented by algorithm, so there is no way to generate truly random numbers by arithmetic means (Jon Von Neuman, quoted on Knuth’s famous 2nd volume).
Where can you find a true random number generator? The truly random ones are found in special hardware devices that sample data from completely random events, like nuclear grade stuff. You likely don’t have access to one of those, so we gotta do with what’s available to us mere mortals.
It turns out we have some pretty good (“secure enough”) solutions available to us for free!
For example, the closest accessible quasi-RNG that I know is Linux’s /dev/random and/or /dev/urandom.
You can leverage the Linux random number generation system using avax toolbox, since it uses BitcoinJ for its entropy generation when producing new mnemonic phrases. BitcoinJ uses a native PRNG when available, which usually means /dev/random or /dev/urandom on Linux boxes. So I personally use avax-toolbox on Linux whenever I need to generate new mnemonics.
I’ve no idea how Microsoft Windows handles random number generation, but I pretty much consider anything done on a Windows computer to be public info. Who knows how much or what exactly Windows is phoning back home at any given time. Just don’t use Windows for crypto and you’ll be a tad safer IMO.
Mac’s are UNIX and they probably have /dev/random and /dev/urandom, but I can’t afford a Mac so who knows.
tl;dr; Linux is my go-to system for just about everything.
Alright, so here’s a suggested cookbook recipe to OG hardware wallet setup:
Let’s go over each step in a bit more detail.
First of all, gotta mention the one thing NOT listed above : a web browser! Web browsers are crawling with spyware. Some browsers phone back all your info (for “backup” or “sync” purposes). Others will be infected by malware. Worse still, a malicious browser extension has 100% access to everything contained in your browser, local storage and whatnot.
Heck, even non-malicious extensions may present a security hazard.
You know those custom script extensions that allow you to customize page behavior? They can run code on any page you access. Browser extensions can read form fields, capture screenshots, post information back onto the network.
Keep in mind, web browsers are an adversarial environment as far as security is concerned.
This may sound weird, considering web3 is all built on web browsers, but it’s true. Web browsers must be really clean and well maintained in order to be trusted for crypto transactions. For example, if you must use a web browser, start a clean profile for your crypto work. Browsers often allow you to start an instance using a new profile. Or have a separate privacy oriented browser like Brave that you use only for crypto. Some people like to use virtual machines for their crypto work. That way the host computer can be used for gaming, playing around etc while the virtual machine is used only for crypto work.
Just make sure your main browser, the one with all the bells, whistles, themes and games (and tons of spyware) never gets within a mile radius from your mnemonic phrase.
So, replaying the cookbook steps and the risks involved on each step:
Install avax toolbox : so that you can use its PRNG which is derived from BitcoinJ. If you use a bad random number generator, the attacker can simply recreate the recipe used to generate your “random number”. And then they can recreate all your private keys and addresses. All they have to do is guess your seed right and it’s over. No need to hack your computer or have physicall access to your wallet.
Unplug your computer : so if you are infected by a RAT or some other screen capture exploit, remote thieves cannot view your screen or capture your mnemonic somehow. Some text editors phone home the editor contents, especially if you’re using AI helpers. For example, AI driven coding aids will phone home your mnemonic key if you paste it into a programming editor. BTW don’t ever paste your mnemonic anywhere. It should be written on physical paper only, not being moved around on any digital device.
Generate new mnemonic: this is the critical step. Do this airgapped, 100% offline and with no one looking behind your back. The mnemonic generation is the most important step on your wallet security. If you use a bad generator, your seed will be guessed by some seed miner somewhere. There’s people running massive hardware 24×7 trying to guess seeds. If your seed generation is flawed, you will lose your crypto. If someone guesses your seed, there is nothing you can do. They will steal your coins without requiring access to your systems.
Write the mnemonic down on a random piece of paper: paper is probably the most cost-effective backup medium available. There’s paper stuff written thousands of years ago, which survived multiple wars and disasters. Just make sure it’s safe from fires and nosy onlookers. Some people use fancy metal engraved backups, but I’m not a big fan of those. That’s just personal opinion, they’re OK if you choose to use them.
Reasons for the offline install are given here. Basically, it’s impossible to secure a hardware wallet when the binary that’s being pushed into it is coming from a live connection on the internet. Especially when the connected transport has administrative access to your hardware wallet. When you connect to ledger live, you authorize it on your ledger. From there on, literally anything can be done to your device.
Finally, I guess the last 3 or 4 steps are pretty much common sense. Test it out, make sure it’s working before doing any high value transfers. You should always test any crypto setup with low value transactions before going all in.
Here’s some additional tips.
We now know the private keys can be extracted from Ledgers. Even if extremely unlikely it’s still a realistic scenario. Extracting those keys should be impossible – but it isn’t. If someone has compromised Ledger servers for as little as 15 minutes, that’s enough to compromise tons of devices. I know this sounds paranoid, but that’s the whole point of this article. Hardware wallets are supposed to be airgapped, they’re supposed to do their thing out of network reach.
I really dislike the idea of having a system with administrative access to the hardware wallet being online at the same time it was granted that admin access. That’s such a blatant security concern IMO.
So, why is it ok to connect my Ledger to an online system like Avalanche Wallet or Core App, but not to Ledger Live?
Great question!
The main difference is that general purpose wallets are unable to run systems-level code on your hardware device.
Wallets only connect to the public / transactional API of your wallet, which is a standard API. So your device will ask you to authorize transfers and so on. On Ledger Live we simply don’t know the content of the APDU’s (application protocol data units) being pumped into your device. We have the Ledger Live source code, we have the SDK source code, but the traffic between Ledger Live and your device is encrypted via TLS. You can’t intercept it. So we have no way of knowing if Ledger Live was compromised or that they’re running the same code they publish on Github.
Another significant difference is web3 wallets run inside your browser. So there’ll likely be some system dialog box asking you for permissions, because web browser add-ons can’t natively access USB ports. Ledger Live, on the other hand, is a native app that can access anything you can on your local computer.
BTW, if the web3 wallet software has been hacked, it may well include the same privileged instructions Ledger Live does. Since Ledger Live is open source and implemented in Javascript (Typescript to be precise), the code is easily adaptable to any web application. The Ledger Javascript libraries are made for the purpose of integrating their wallet with web3, but it could well be exploited by malicious software. So a hacked or malicious wallet could in theory attempt foul play against your hardware wallet.
Again, this is really paranoid stuff, but possible. 99% of the time you’ll be OK if the wallet URL is confirmed legit, but the purpose of this article is to let you know this stuff is possible.
Finally, most people are trusting all their crypto to mnemonic phrases they generated on some public site, using browsers infested by malware of all kinds. And they’re still OK. But hacks do happen, and whey they do you often see experienced users claim “well I always used a HW wallet how did I get hacked”. As we’ve seen, there’s tons of attack vectors. You gotta be extra paranoid to survive the crypto wild west.
I hope this article gave you some ideas about what you should be looking out for security-wise when using hardware wallets like the Ledger for Avalanche AVAX.
You should assume the private keys can be extracted from your wallet by a skilled adversary. It’s really unlikely, but not impossible. (Should be impossible, but it isn’t)
Always remember the “good enough” security principle. If you’re holding millions of U$, then attackers will easily spend hundreds of thousands to hack you. But if you’re just storing beer money, then your hardware wallet is more than you need security-wise without minding anything you read in this article.
PC’s and web browsers are riddled with spyware. Some of the spyware is accidental, like browser sync/backups or programming editors with AI helpers which submit the text to get back auto-suggestions. (If you edit your mnemonic on one of those, it’ll get submitted somewhere and an intern could peek at it.) Not all spyware is accidental though. There’s plenty of malware out there that is coded to steal private keys, mnemonic phrases or generally scrape screens for possibly sensible data.
Don’t get over confident. Even Bitcoin Core contributors have gotten hacked by unknown exploits. Being paranoid is necessary in the crypto wild west where one slight mistake means your funds are gone forever.
Unidentified OG Crypto Wallet Exploit Stole Over $10M In 11 Blockchains
Bitcoin Core Developer Lost “Basically” All of His BTC Holdings in a Hack
Extracting Keys from a Ledger Device
Ledger CEO Confirms Government Can Access Your Private Keys
Turns out Ledger can hold some of your crypto wallet’s keys, if you agree to it
MetaMask, Phantom warn of flaw that could steal your crypto wallets
Hodlers beware! New malware targets MetaMask and 40 other crypto wallets
How to Use An Air-Gapped Wallet, And Why You Should Get One Soon