Using a Chromebook to compliment a hardware wallet setup

One can purchase a Chromebook and leverage the containerized operating system for a few hundred bucks. Essentially, it's a very sanitary operating system

Listen to this instead

Using a Chromebook to compliment a hardware wallet setup

When dealing with non-trivial amounts of cryptocurrency, the standard that most people adopt to use typically involves a hardware wallet. Between the two, the most prevalently used hardware wallet manufacturers are Ledger and Trezor.

There are others, but these two manufacturers have the most combined distribution in the marketplace. They've been very aggressive in supporting many of the networks in the cryptocurrency space and the tokens on them.

Criminals, hackers, and various nefarious groups of individuals have looked to exploit this and find ways to compromise the users of hardware wallets. One of the ways that we see this happening is through phishing emails. As many of us have signed up with centralized exchanges or other cryptocurrency-related websites, and data breaches become increasingly common over time, people's email addresses inevitably end up on the dark web. These email addresses become part of bulk fishing operations.

Because Ledger and Trezor are so popular, there's a higher likelihood that the recipient of a phishing email might own one of these devices. These emails often appear as notifications to upgrade firmware or the desktop wallet software.

To compromise a hardware wallet or hardware signing device, one of the most prevalent ways to target someone would be to try to get their seed phrase -- the 12 or more words that one backs up when they initially set up their hardware wallet. So if someone sends a phishing email and can trick someone into doing this as part of an upgrade process, they can take that person's funds by restoring them to another wallet.

Another way is as people become increasingly entrenched in the crypto space and experiment with various networks and technologies, they often will install CLI-based programs and desktop-based programs to be some of the first users of these networks and technologies. There's a mentality of having a first-mover advantage in crypto. The earliest holders sometimes may reap a more significant reward by acquiring more considerable sums at a smaller price or acquiring quantities of these assets via airdrop by being some of the initial users.

So people are becoming more and more willing to install software to interact with these networks. We're seeing things like incentivized test networks, whereby checking to ensure that certain functions perform, they give feedback to core developers. People then receive tokens on these platforms and networks for doing so.

The point I'm getting to is that people are installing things on their machines, and in some cases, they may not understand how they work or even what these programs are doing. They're just looking to get these reward tokens for doing it in hopes of a financial reward later. So when you combine that with somebody that already has a hardware wallet, we can see where there's a possibility that some software might get installed on a machine that would enable a nefarious actor to seek to compromise a hardware wallet.

One additional last way that's becoming more common to compromise hardware wallets is via upstream dependencies that developers may encounter when working in the local stack, relating to the network chain or app infrastructure they deal with regularly.

For example, if I'm a core developer for an upcoming dapp or network/protocol. Or I'm regularly interacting with large sums of a token. Or building software that does that. Being able to compromise hardware signing devices that I may be interacting with in those types of contexts would be very valuable to a hacker. So especially in an experimental environment when one is regularly prototyping and using different upstream dependencies from a developmental standpoint, we can see where this starts introducing attack vectors. Hackers can gamble on the possibility that the machine might also interact with a hardware wallet that touches large sums of digital assets.

Using a dedicated Chromebook set up only for hardware assigning operations is a relatively inexpensive way to help further insulate people from these attack vectors. And mainly here, we're talking about Metamask-based hardware signing operations. Both Trezor and Ledger will work with Metamask on a Chromebook.

Note: Metamask only supports EVM-compatible networks/chains.

One can purchase a Chromebook and leverage the containerized operating system for a few hundred bucks. Essentially, it's a very sanitary operating system. If it's not tampered with, it will essentially be a browser (Chrome) and the factory Chrome OS software that accompanies it. In this signing environment, one would use Chrome to install Metamask and then connect their Ledger or Trezor to it and only use this device for signing and broadcasting transactions. There should be no other additional software or browser extensions/add-ons.

Using a Chromebook as a dedicated signing environment helps further protect one from situations I've mentioned previously and creates additional security for day-to-day transactions.