Hardware wallets (Ledger, Trezor) the supply chain and VeChain

Hardware wallets

The general consensus in the crypto community is that hardware wallets are probably the best way to manage your crypto assets. (unless of course you are a l33t Bitcoin hacker [a] or think you can do better with a self created air gapped iPhone/computer [b]). For most of us, hardware wallets are user friendly and facilitate storing and using your crypto in a straight forward, easy to manage and secure manner.

The two oldest and most popular companies in the space are Ledger and Trezor. Both have been rigorously tested and put through the paces, both have known strengths and weaknesses. (In a nutshell Ledger contains a “secure element”, maintaining some secrecy, and Trezor is an entirely open sourced model)

Interestingly enough both and seemingly “all” hardware wallet manufacturers share a vulnerability. As pointed out by Trezor in their response to several accusatory security findings “Out-of-scope, affects all hardware in transport, no 100% solution, all companies have different methods to mitigate this”

Supply Chain Attack

The length of time in which the device has left the manufacturer and is not in your possession is time the device could be intercepted and tampered with, replaced, hacked, substituted, altered, etc.

Ironically, there is blockchain technology specifically designed to mitigate this threat and provide assurance of device authenticity. VeChain.

What is VeChain?

“VeChain is a blockchain-based platform that records the truth of what happens at every stage of the supply chain.” [1]

Specifically from VeChain white paper:

Use Cases

5.3 Anti-counterfeiting and digitization for high value products

VeChain’s solution allows brands to digitize products on the blockchain by establishing the linkage between the physical product and unique blockchain identity using smart NFC tags. With the unique digital identity, the solution provides the traceability over the life-cycle of products from the manufacturing, logistics and supply chain, retail and wholesale, after service, and even consumer engagement on the blockchain. [2]

Questions/Concerns

Q1: How do you prevent tampering with chips/codes? [3]