Hardware wallets are devices to securely store and use your bitcoin. They replace the need to trust your computer or phone to securely hold onto your private keys.
Manufacturers are trying to make it easier and more affordable to use a hardware wallet. Removing the screen, one of the more expensive parts, at first glance seems like a good way to save costs. If you dig a little deeper however, it fails to protect the user from even basic attacks.
Let’s look at the basics of a hardware wallet setup:
A wallet needs to communicate with the blockchain in order to scan address balances or send out a transaction. Because a hardware wallet itself cannot connect to the internet directly, it relies on an app running on a host device, for example a computer, to send information over the internet.
While the setup requires a host device, the app and host device must not be trusted. All sensitive information (like private keys) are stored securely on the hardware wallet and should never leave it.
The reason sensitive information does not have to leave the hardware wallet is that important tasks are performed on a miniature computer (aka microcontroller) built inside of itself, such as signing a transaction with your private keys.
The host device sends transaction data, such as the receiver address and the transaction fee, to the hardware wallet, which then approves and signs the transaction, after which the signed transaction is sent back to the host device.
If a wallet signs all transaction data that is being sent to it, how can the user make sure it only signs transactions that he intended to send?
By adding a screen to the device, a user can verify what the hardware wallet is doing. It can show the transaction data and ask for user confirmation, for example by manually pushing an on-device button, before it is signed and sent back to the host device. This way, the user can make sure the transaction signed is for the correct bitcoin address and using the correct transaction fee.
Without a screen and on-device confirmation, the user is left to trust the host device to send the correct information to the hardware wallet.
More specifically: If you are using a computer and a hardware wallet without a screen, a malicious program might look and act like the authentic wallet app visually, but instead of creating a transaction with your intended bitcoin address, it sends the hardware wallet a transaction containing a completely different address and amount. Because the wallet does not know any better, it signs the transaction and sends it back to the computer, which then broadcasts it.
No amount of security on the host device can mitigate the fact that the hardware wallet has to trust the host device, if it cannot validate the transaction data independently.
This begs the question: If the user has to trust the host device anyways, is there an added benefit over a purely software wallet?
We speak from experience. Our original BitBox01 hardware wallet did not feature a display but instead relied on an additional factor of authentication through a smartphone app. An encrypted communication channel between the hardware wallet and smartphone app would allow the latter to serve as a “secure remote screen”. In order to compromise this setup, ostensibly both the host computer and the smartphone app had to be attacked. However, such a setup was complex and full of pitfalls. If the encrypted communication channel was compromised, attacking only the host computer, and not the smartphone app, would even be sufficient to steal funds.
This clearly defeats the purpose of a hardware wallet. Even with a secured communication channel, security is on par with a multisignature wallet split up between a smartphone and a computer.
These lessons have been learned, which is why we retired the BitBox01 and added a big OLED display to the BitBox02.
Removing the display from a hardware wallet defeats its security benefits. We strongly encourage users and developers to outright dismiss products without screens.
Don’t own a BitBox yet?
Keeping your crypto secure doesn't have to be hard. The BitBox02 hardware wallet stores the private keys for your cryptocurrencies offline. So you can manage your coins safely.
The BitBox02 also comes in Bitcoin-only version, featuring a radically focused firmware: less code means less attack surface, which further improves your security when only storing Bitcoin.
Frequently Asked Questions (FAQ)
Why do hardware wallets need a display?
A display allows users to verify transaction data and confirm it on the device, ensuring that the transaction is for the correct bitcoin address and fee.
What happens if a hardware wallet doesn't have a display?
Without a display, users must trust the host device. A compromised computer might display one bitcoin address but send a different one to the wallet for signing.
How does a hardware wallet work with a host device?
A hardware wallet communicates with the blockchain via an app on a host device. The wallet securely stores sensitive information and signs transactions, while the host device sends and receives transaction data.
What's the risk of trusting the host device?
If the hardware wallet can't validate transaction data independently, it has to trust the host device. A malicious program can mislead the user, resulting in transactions to unintended bitcoin addresses.
Why did BitBox02 include a display?
BitBox02 added a display after learning from the BitBox01's limitations. A display enhances security, ensuring users can verify and confirm transactions directly on the device.
Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease - along with its software companion, the BitBoxApp.