Receiving address attack on chrome extension based wallet software and subresource integrity

A recent post on the ledger receiving address attack initiated this research:

Here are the countermeasures I can think of:
(Please do add more, especially if you are aware of the software engineering process of the hardware wallet vendors. )

1. Hardware wallet vendors to adopt the ‘subresource integrity

The attack demonstrated was based on the ability of changing code inside a javascript file in your PC. The ‘subresource integrity’ recommendation addresses this thread and offers a solution. However, it takes time for vendors to recognise it.

I also would like to know whether the ‘subresource integrity’ is sufficient. Please do comment on this.

2. Use the compiled version instead of the chrome extension version

There are different versions of wallet applications on offer even from the same vendor. The compiled version for Windows, Mac or Linux shall be less prone to malicious modification.

The good news is Ledger is phasing out the chrome apps by June 2018: Ledger timeline on trello

3. Use myetherwallet.com (This is only a transfer of responsibility in reality.)

Since myetherwallet is a website, they would have to adopt the same ‘subresource integrity’ recommendation in their coding practice to avoid the same receiving address attack.

If anyone knows the myetherwallet coding convention, please do comment.

4. Cross check with the past transfers.

Many exchange deposit/withdraw addresses do not change for a given account. And the receiving address of many cyrpto currencies in a hardware wallet do not change, either. Verify the history can reduce the risk significantly.

5. Keep minimum Chrome extension app installation

Deleting any dormant or rarely used chrome apps reduces the address attack risk. Google is ending the chrome apps for good reasons.

6. Use a dedicated trading environment.

Disciplined practices are the simplest way to avoid risk. A dedicated Linux based PC (or a Linux installation in the Virtualbox) reduces the risk significantly. Linux performs well on the slowest hardware you can find in a household.

7. Antivirus and Anti-malware

Keep them up to date. Pay for a good malware detection software is still worth it.

3 Likes

I like this. I have an old VAIO stashed away. I think I may wipe it and convert it to Linux and make it my offline hardware wallet. Thanks for this thread.

2 Likes

Im actually about to do just that with my spare machine…run linux

1 Like

Linux PC is still an online device. It is less vulnerable to attacks if you keep the installation minimum.

1 Like

💰 YEN · YouTube ·️ YEN.CAMP 🧠