Protecting your Web3 devices has never been more important than it is today. Different studies have shown a huge increase in the number of Web3 scams, hacks, and fraud cases in 2023 alone.
While some of these hacks occur on crypto exchanges, recent reports state that Web3 devices are also possible channels. Let’s discover more about this important topic.
Web3 Devices are also at Risk
There’s a new trend toward integrating Web3 into mobile devices. Crypto companies like Solana are spearheading this movement. Solana currently has an Android mobile device known as Saga.
However, Certik, an auditing company, recently found some vulnerabilities in this device that could possibly extend to other devices integrated with Web3. Certik notes that this security concern “goes beyond software risks to include potentially serious hardware vulnerabilities.”
While this risk was identified in the Solana phone, similar concerns might arise in other Android devices with comparable bootloader security configurations. The distinctiveness of this risk lies in the specific implementation and security measures (or lack thereof) in the…
— CertiK (@CertiK) November 17, 2023
The best strategy when it comes to security is a thorough defense approach. So, instead of depending on a single solution, a better defensive technique uses several levels of security. For a mobile wallet, this would mean implementing a wide range of security safeguards rather than concentrating only on one, such as the operating system or secure hardware.
An Issue with Web3 Devices
Certik said it discovered a bootloader vulnerability on Solana’s Saga phone. This means that someone can possibly install a backdoor on the phone to compromise the software that powers the device.
Certik explained further: “The boot loader is unlocked, and software integrity cannot be guaranteed. Any data stored on the device may be available to attackers. Do not store any sensitive data on the device.”
Ever wondered about the security of your Web3 devices?
Our newest exploration reveals a significant bootloader vulnerability in the Solana Phone, a challenge not just for this device but for the entire industry. Our commitment to enhancing security standards is unwavering. 🔐… pic.twitter.com/lHZ5W7hXzy
— CertiK (@CertiK) November 15, 2023
Certik warned that hackers, under specific circumstances, could install custom firmware with a root backdoor, allowing them to view all plaintext data. This might occur before a customer receives their Web3 device. Certik believes you can possibly purchase a device without knowing that attackers have installed a backdoor and tampered with it.
How Safe are TEEs?
Trusted Execution Environments (TEEs) are a popular security measure for mobile devices. They protect sensitive data, like private keys, from software attackers. However, Certik, in its report, found some vulnerabilities with TEEs, stating that their efficiency is dependent on their implementation.
Our second video on mobile web3 security focuses on TEE security. Correct implementation of TEE-based secure vaults is crucial. Despite their robust designs, they remain susceptible to software exploits.
Our investigation showcases the real impact of these risks on privacy and… pic.twitter.com/Sp7McpEaDv
— CertiK (@CertiK) November 27, 2023
Certik claims that hackers could extract the PIN code stored in the TEE. This way, attackers are able to access the wallet and retrieve private keys. Certik notes that hackers can exploit TEEs due to flawed implementation.
So, the blockchain auditor advised that the implementation of TEE-based secure vaults must be assessed by qualified security specialists. These evaluations are essential to guaranteeing that the TEEs work as designed and offer the high degree of security required for the storage of private keys in Web3 wallets.
What’s the Best Way for a User to Protect Their Device?
Furthermore, Certik advises users to select wallets and apps with sophisticated security measures. And be constantly aware of the physical security of their devices. Ensure the app, wallet, or Web3 product you intend to use has been audited by a reputable blockchain security firm. This provides an extra layer of confidence.
In addition, developers should focus on implementing strong security features for blockchain and Web3 technologies that store assets.