Smartphones Are the Safest Devices to Store Cryptocurrency, Samsung Says

Omar Faridi
  • Samsung Electronics says smartphones are the safest device to store cryptocurrency.
  • “Spendable” digital currency can be securely stored on smartphones because of a Trusted Execution Environment (TEE).

Samsung Electronics, one of the world’s largest smartphone manufacturers, recently stated in an official blog post that mobile-based crypto wallets are the best and safest option for cryptocurrency “short-term and medium-term storage.”

The post explains that smartphone-based cryptocurrency wallets are a fairly secure place to hold digital “spending money,” equivalent to the amount of fiat one would keep in a physical wallet. For storing cryptocurrency on a long-term basis, Samsung recommended creating several backups of the private key associated with crypto wallets.

Offline Storage Preferred

The smartphone maker added that private keys should be stored offline to maximize security, which means they should not reside on a mobile phone or any other device regularly connected to the internet. Samsung added that private keys are to be kept in cold storage (offline) to maximize protection.

Samsung’s blog post argues that smartphone-based crypto wallets are the safest place to store “spendable” cryptocurrency because of a mobile phone feature called Trusted Execution Environment (TEE). The TEE runs in its own independent execution environment, which means that its random-access-memory (RAM) and persistent storage (usually a hard-drive) are separate from a smartphone’s main operating system.

Due to a separate run-time environment, the Android OS can’t directly access the TEE, even if the operating system has been hacked. Moreover, the TEE can only be accessed via an application programming interface (API), Samsung’s blog notes.

The smartphone manufacturer refers to the small-sized apps in the TEE as “trustlets” and notes that all reliable mobile-based cryptocurrency wallets restrict and control access to users’ private keys by keeping them in seemingly impenetrable trustlets.  Per Samsung, this helps ensure “security is seriously tight,” as it’s nearly impossible for malware to reach private keys stored this way.

Vulnerabilities Still Exist

The smartphone company added that its Samsung Knox platform’s TEE provides an even greater level of security. It warned that since TEE hardware is not available on laptop and desktop computers, the private keys stored in these devices may be easily compromised.

Despite the high level of security TEEs offer, Samsung claims a novice programmer can potentially make the mistake of designing a crypto wallet that stores private keys on a smartphone’s hard drive, making it vulnerable to hackers. Moreover, wallets themselves can be infected with malware on purpose.

Interestingly, Samsung’s blog post comes shortly after Ethereum wallet interface MyEtherWallet released a ‘hardware wallet’ app beta for iOS, which it claims could give users the same security cold-storage solutions do.

Coinbase Says Recent Zero-Day Attack Targeted Staff, Not Investors

Neil Dennis

Coinbase sought to reassure investors on Thursday over concerns that customer accounts may have been targeted in an attack that exploited a recent Firefox zero-day.

The San Francisco-based cryptocurrency exchange said that the attack, discovered on Monday, had targeted Coinbase employees and that the exchange and its customers' accounts were untouched.

Software Vulnerabilities

A zero-day is a vulnerability in computer software that can remain unknown to those who provide and use that software for several days or weeks, yet - if discovered by hackers - can provide the opportunity to exploit that weakness for mischief or profit.

Coinbase's cyber security team, led by Philip Martin, discovered the zero-day vulnerability in Mozilla's Firefox software and reported it immediately to the web browser provider, which then issued a patch to rectify the fault.

However, the zero-day event may have lasted for weeks, according to Google engineer Samuel Gross who helped develop the patch. He reported on Twitter that he had reported a bug in Firefox to Mozilla in mid-April.

Coinbase Security on the Alert

While it remains unclear how soon attackers noticed the vulnerability and how extensively the bug was exploited, Coinbase detected the attack on its staff before the hackers could dig deeper into the back-end network from where they could have stolen funds from the exchange.

Philip Martin explained on Twitter that the security team "walked back" the entire attack and reported the zero-day to Firefox. He added the team was working with other organizations to "continue burning down attacker infrastructure and digging into the attacker involved".

He continued: "We’ve seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted.

Martin concluded: "If you believe you have been impacted by this attack or you have more intel to share and want to collaborate with us on a response, please reach out to [email protected]"

Growing Problem

Zero-day attacks are on the increase. A 2018 survey by the Ponemon Institute called the State of Endpoint Security Risk report, said respondents reported that 37% of cyber attacks launched against their companies were zero-day events. This was a 48% increase from 2017.

Meanwhile, 63% of the survey's respondents said that the frequency of zero-day attacks had increased over the previous 12 months.