Hardware wallets are devices to securely store and use your bitcoin. They replace the need to trust your computer or phone to securely hold onto your private keys.
Manufacturers are trying to make it easier and more affordable to use a hardware wallet. Removing the screen, one of the more expensive parts, at first glance seems like a good way to save costs. If you dig a little deeper however, it fails to protect the user from even basic attacks.
Let’s look at the basics of a hardware wallet setup:
A wallet needs to communicate with the blockchain in order to scan address balances or send out a transaction. Because a hardware wallet itself cannot connect to the internet directly, it relies on an app running on a host device, for example a computer, to send information over the internet.
While the setup requires a host device, the app and host device must not be trusted. All sensitive information (like private keys) are stored securely on the hardware wallet and should never leave it.
The reason sensitive information does not have to leave the hardware wallet is that important tasks are performed on a miniature computer (aka microcontroller) built inside of itself, such as signing a transaction with your private keys.
The host device sends transaction data, such as the receiver address and the transaction fee, to the hardware wallet, which then approves and signs the transaction, after which the signed transaction is sent back to the host device.
If a wallet signs all transaction data that is being sent to it, how can the user make sure it only signs transactions that he intended to send?
By adding a screen to the device, a user can verify what the hardware wallet is doing. It can show the transaction data and ask for user confirmation, for example by manually pushing an on-device button, before it is signed and sent back to the host device. This way, the user can make sure the transaction signed is for the correct bitcoin address and using the correct transaction fee.
Without a screen and on-device confirmation, the user is left to trust the host device to send the correct information to the hardware wallet.
More specifically: If you are using a computer and a hardware wallet without a screen, a malicious program might look and act like the authentic wallet app visually, but instead of creating a transaction with your intended bitcoin address, it sends the hardware wallet a transaction containing a completely different address and amount. Because the wallet does not know any better, it signs the transaction and sends it back to the computer, which then broadcasts it.
No amount of security on the host device can mitigate the fact that the hardware wallet has to trust the host device, if it cannot validate the transaction data independently.
This begs the question: If the user has to trust the host device anyways, is there an added benefit over a purely software wallet?
We speak from experience. Our original BitBox01 hardware wallet did not feature a display but instead relied on an additional factor of authentication through a smartphone app. An encrypted communication channel between the hardware wallet and smartphone app would allow the latter to serve as a “secure remote screen”. In order to compromise this setup, ostensibly both the host computer and the smartphone app had to be attacked. However, such a setup was complex and full of pitfalls. If the encrypted communication channel was compromised, attacking only the host computer, and not the smartphone app, would even be sufficient to steal funds.
This clearly defeats the purpose of a hardware wallet. Even with a secured communication channel, security is on par with a multisignature wallet split up between a smartphone and a computer.
These lessons have been learned, which is why we retired the BitBox01 and added a big OLED display to the BitBox02.
Removing the display from a hardware wallet defeats its security benefits. We strongly encourage users and developers to outright dismiss products without screens.
Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease - along with its software companion, the BitBoxApp.