This piece might ruffle a few feathers. That’s because there’s a lot of people out there that think having an Airgap Wallet makes their setup super secure and basically hacker proof, but they’re wrong.
One of the most common ways people fail at security is by thinking that something is secure… when in fact it’s not. So today we’re going to explain what Air Gapped Hardware Wallets are and cut through the often incorrect or just misleading marketing that many Hardware Wallet vendors push to make sure you’re protected.
What Is An Airgap Wallet?
An Air Gapped Wallet is a crypto wallet that is completely disconnected from any computer or network such as the Internet. They are generally never plugged into the computer and instead communicate by passing microSD cards back and forth or via QR codes.
One of the most popular examples of a Hardware Wallet that supports air gapped transaction signing is the COLDCARD. The theory is that this physical isolation from the Internet and computer makes the Hardware Wallet more secure as it can’t be hacked if it’s not actually connected to anything.
The idea of an air gapped computer has been around for decades now. Ever since the Internet was created and people realised that people could hack into their network and devices it’s been used for things that needed the highest level of security.
As we noted in our Bitcoin Security guides, the best way to protect against a security risk is to completely remove it. But. While you might think having your wallet air gapped completely removes the risk of hacking, it doesn’t. In fact, it doesn’t really seem to do much of anything for security as we’ll explain below.
How Do You Use An Air Gapped Wallet To Send Bitcoin?
Although the Hardware Wallet is completely disconnected from the Internet or any other computer, data still needs to flow back and forth between the Hardware Wallet and the Computer if you ever want to spend your bitcoins. This is because the Hardware Wallet is what’s used to sign the transaction and prove that you own the bitcoins you’re spending.
So let’s look at how most air gapped crypto wallets operate today when you want to create and broadcast a Bitcoin Transaction:
- Create Transaction: The computer creates an unsigned transaction which is called a Partially Signed Bitcoin Transaction (PSBT) as defined by BIP174
- Save PSBT: This PSBT transaction data is saved to a microSD card
- Transfer PSBT: You move the microSD card from the computer to the Hardware Wallet
- Sign PSBT: The Hardware Wallet uses your Private Key to sign the PSBT
- Transfer Signed Transaction: You again move the microSD card back to the computer
- Broadcast Signed Transaction: Now that it’s a fully signed transaction, the computer broadcasts it to the Bitcoin network
Why Air Gapped Hardware Wallets Don’t Increase Security
While “not being connected” sounds pretty logical and bullet proof at face value, data is still being transferred back and forth between this “untrusted computer” and the air gapped Hardware Wallet. It’s just using a microSD card and you as the transfer medium rather than a USB cable. The key thing to point out here, the reason why having an air gap doesn’t increase security, is this:
The security of the Hardware Wallet depends on the integrity of the data being transferred. Not how that data is transferred.
The untrusted computer can put a giant ass virus on that microSD card and when you plug it into your “totally hacker proof air gapped crypto Hardware Wallet” it’ll still infect it. This isn’t a perfect analogy obviously, but it helps to make the point clear. It doesn’t matter how the data gets there… it’s what the data is that’s important.
There’s multiple different ways to transmit the data to/from a Hardware Wallets such as:
- USB Cable: The traditional data transfer method
- USB Drive / microSD Card: Use microSD cards to transfer the data
- NFC: Uses the Near Field Communications standard to transfer the data
- QR Code: Uses a QR code to encode the data, the Hardware Wallet then takes a photo of it
- Bluetooth: Uses Bluetooth standards to transfer the data, popular with mobile wallets
Whether you’re transmitting data to the Hardware Wallet via QR Code, microSD card or a more normal (non air gapped) USB connection there is still data going back and forth. If someone infects your computer and takes control of your software wallet, it won’t matter how the maliciously created transaction data is transferred to the Hardware Wallet.
What matters is how that Hardware Wallet receives, inspects and sanitises the data. If it’s not doing this, an air gapped Hardware Wallet can 100% still get hacked, so be sure to understand that something being “air gapped” doesn’t make it bullet proof.
Just with any other type of security, having an air gap wallet is not a panacea and doesn’t just magically make your crypto “hacker proof”. An internationally famous example of air-gaped computers getting hacked was the Stuxnet malware that took down a uranium enrichment facility in Iran in 2010.
Reduced Security, Reduced Usability
Digging further into this, you might think that by removing the USB cable you’re decreasing the attack surface area of the Hardware Wallet. But as noted above, the data is still being transmitted via microSD card (or Bluetooth or QR code etc). Did you know that microSD cards have a micro-controller inside them?
This mini computer type brain runs firmware that obviously can be hacked and increases the attack surface area. What about QR codes? Well now you’ve got camera hardware (again with micro-controllers in them) plus even more things like external software library dependencies to read in the picture, analyse the QR code etc. Bluetooth is just as bad with more library dependencies and all the security risks that come with Bluetooth in general.
At the end of the day you’re essentially trading one attack surface area (the USB cable) for another or worse, multiple others! It can also trick users into a false sense of security by thinking their device is 100% protected when it’s not.
On top of all of this, it decreases usability of the device and adds multiple steps that can introduce user error. Complexity is the enemy of security and adding more steps, more microSD cards, more software code etc all adds complexity that can result in potential attacks.
The Athena Assessment
To be clear, if your wallet supports air gap operations it doesn’t make it a bad Hardware Wallet. We’ve been using the COLDCARD as an example in this piece but we’d still heavily recommend the COLDCARD over a Ledger as it’s more secure and private.
Air gapped isn’t bad per say, but it’s also not really that good either. It certainly doesn’t make your Hardware Wallet hacker proof or more secure, so be sure you don’t fall into that trap. We also wouldn’t recommend insisting on the feature when you’re buying one either.
All communication channels, from USB to microSD to Bluetooth can be compromised in various ways. So don’t fall for their marketing that claims things like it’s “more transparent” or is for those that “want to reach the next level paranoia”.
Your Hardware Wallet should be unplugged and powered off for the vast majority of its life regardless of how it connects to a computer. When it is plugged in, make sure it’s done over an encrypted USB connection as this makes tampering with it much more difficult.
Make sure it’s connected to a well setup and maintained computer that’s only dedicated to Bitcoin as described under the Expert Computer Security section of our Expert Bitcoin Security guide. Another Hardware Wallet Risk to watch out for is that most major vendors all use the same MCU.
Most importantly, make sure the Hardware Wallet correctly validates and inspects the data that’s sent to it. This is the far more critical thing to pay attention to, not whether it ticks the feature box of air gapped or not.
Is Ledger Air-Gapped?
No. Ledger doesn’t support air-gapped operation and requires a USB connection to operate. We also do not recommend readers buy or use a Ledger as it doesn’t meet our security and privacy standards.
What Is An Air-Gapped Key?
An Air-Gapped Key refers to a Private Key that is stored on a air gapped Hardware Wallet. This usually means it is never physically plugged into a computer via a USB cable.