The hidden risk of updatable firmware
Opinion by: Igor Zemtsov, chief technology officer at TBCC
Crypto security is a ticking time bomb. Updatable firmware might just be the match that lights the fuse.
Hardware wallets have become the holy grail of self-custody, the ultimate safeguard against hackers, scammers and even government overreach. There’s an inconvenient truth, however, that most people ignore: Firmware updates aren’t just security patches.
They’re potential backdoors, waiting for someone — whether a hacker, a rogue developer or a shady third party — to kick them wide open.
Every time a hardware wallet manufacturer pushes an update, users are forced to make a choice. Hit that update button and hope for the best, or refuse to update and risk using outdated software with unknown vulnerabilities. Either way, it’s a gamble.
In crypto, a bad gamble can mean waking up to an empty wallet.
Firmware updates aren’t always your friend
Updating firmware sounds like common sense. More security! Fewer bugs! Better user experience!
Here’s the thing: Every update is also an opportunity not just for the wallet provider but for anyone with the power, or motivation, to tamper with the process.
Hackers dream of firmware vulnerabilities. A rushed or poorly audited update can introduce tiny, almost imperceptible flaws — ones that sit in the background, waiting for the right moment to drain funds. And the best part? Users will never know what hit them.
Then there’s the more unsettling possibility: deliberate backdoors.
Recent: Hardware wallet Ledger helps competitor Trezor resolve security vulnerability
Tech companies have been forced to include government-mandated surveillance tools before. What makes anyone think hardware wallet makers are exempt? If a regulatory agency — or worse, a criminal organization — wants access to private keys, firmware updates are the perfect attack vector. One hidden function. One disguised line of code.
That’s all it takes. Still think firmware updates are harmless?
Firmware vulnerabilities are already being exploited
This isn’t some far-fetched, doomsday scenario. It has already happened.
Ledger, one of the biggest names in crypto security, had a major security crisis in 2018 when security researcher Saleem Rashid exposed a vulnerability that allowed attackers to replace Ledger Nano S firmware and hijack private keys. Nearly 1 million devices were at risk before a fix was rolled out. The scary part? There was no way for users to know if their devices had already been compromised.
In 2023, OneKey suffered a similar nightmare. White hat hackers demonstrated that its firmware could be cracked in mere seconds. No crypto was lost — this time. But what if real attackers had found the flaw first?
Then came the “Dark Skippy” exploit, taking firmware-based attacks to an entirely new level. With just two signed transactions, hackers could extract a user’s entire seed phrase — without setting off a single alarm. If firmware updates can be manipulated this easily, how can anyone be sure their assets are safe?
The hidden price of updatable firmware
To be fair, not all firmware updates are security disasters. Ledger uses a proprietary operating system and secure element chips for added protection now. Trezor takes an open-source approach, allowing the community to scrutinize its firmware. Coldcard and BitBox02 give users manual control over updates, reducing — but not eliminating — risk.
Here’s the real question: Can users ever be 100% sure that an update won’t introduce a fatal flaw?
Some wallets have decided to eliminate the risk altogether. Tangem ships with fixed, non-updatable firmware, meaning that its code can never be altered once the device leaves the factory. No updates. No patches.
Of course, this approach has its trade-offs. If a vulnerability is discovered, there’s no way to fix it. But in security, predictability matters.
Real crypto security means taking back control
The crypto market was worth $2.79 trillion as of March 2025. With that much money on the table, cybercriminals, rogue insiders and overreaching governments are always looking for weak points. Hardware wallet makers should be laser-focused on security.
Choosing a hardware wallet shouldn’t feel like gambling with private keys. It shouldn’t involve blind trust in a corporation’s ability to push updates responsibly. Users deserve more than vague reassurances. They deserve security models that put control where it belongs — with them.
Security isn’t about convenience. It’s about control. Any system that requires trusting unknown developers, opaque update processes or firmware that can be changed at will? That’s not control. That’s a liability.
The only real way to keep a hardware wallet safe? Remove the guesswork. Strip away the blind trust. Always research the developers’ backgrounds, check their track record for security incidents, and see how they’ve handled past vulnerabilities. Stick to verifiable facts — security should never be based on assumptions.
Opinion by: Igor Zemtsov, chief technology officer at TBCC.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Jay Clayton, recently appointed interim US Attorney for the Southern District of New York (SDNY) and former chair of the Securities and Exchange Commission, has begun offering statements in criminal cases involving crypto fraud.
In an April 23 notice, the US Attorney’s Office said Eugene William Austin, also known as Hugh Austin, had been sentenced to 18 years in prison following his conviction on conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit interstate transportation of stolen property. Together with his son, Brandon, sentenced to four years, Austin offered fraudulent crypto investment services, resulting in roughly $12 million in losses to more than 24 people.
“For years, Hugh Austin was the leader of a fraud and money laundering scheme that stole more than $12 million from more than two dozen victims,” said Clayton. “Austin involved his own son in his crimes, working with him to rip off victims and spending investor money on personal expenses, like luxury hotels […] Austin will now be held accountable for the harm he caused to individual investors and others.”
The criminal case involving digital assets marked one of Clayton’s first public statements since becoming the interim US Attorney on April 22. US President Donald Trump nominated Clayton on Jan. 20 when he took office. The district has since seen the resignation of acting US Attorney Danielle Sassoon in response to the Justice Department directing her to halt a case against New York City Mayor Eric Adams.
Related: US prosecutors file over 200 victim statements in Celsius ex-CEO’s case
The nation’s ‘sovereign district’ overseen by a Trump appointee?
Under current law, Clayton can serve as interim US Attorney for the district for 120 days without Senate confirmation. Senate Minority Leader Chuck Schumer blocked a vote on Clayton’s nomination, saying Trump had “no fidelity to the law.”
Clayton will likely oversee SDNY during the sentencing hearing for former Celsius CEO Alex Mashinsky and potentially other criminal cases involving cryptocurrency. The district is home to Wall Street firms and many of the country’s most prominent financial institutions.
Magazine: SEC’s U-turn on crypto leaves key questions unanswered
The US Securities and Exchange Commission (SEC) crypto task force, headed by Hester Peirce, has continued meeting with digital asset company representatives as the agency explores regulatory changes.
In an April 24 notice, the SEC task force disclosed a meeting with representatives from crypto firm Ondo Finance and the law firm Davis Polk and Wardwell to discuss “issuing and selling wrapped, tokenized versions of publicly traded US securities.” Ondo Finance donated $1 million to Donald Trump’s inauguration fund, and the law firm announced on April 22 that it would represent the US President’s social media company, Truth Social, to launch crypto-linked exchange-traded funds.
According to the meeting request, Ondo Finance planned to discuss registration requirements for tokenized securities, compliance with financial laws, and potentially launching a regulatory sandbox. Cointelegraph reached out to the firm for comment but did not receive a response at the time of publication.
The April 24 meeting was the latest in the SEC crypto task force’s outreach to the industry following the departure of former chair Gary Gensler. Former commissioner and Trump appointee Paul Atkins took over leadership at the agency on April 21 after his swearing-in ceremony, but has yet to take action on his proposed crypto agenda.
Related: Chiliz meets with SEC Crypto Task Force amid US market reentry plans
Continuing outreach to industry under new SEC chair
On April 25, the crypto task force will host a roundtable event to discuss custody, including representatives from Kraken, Anchorage Digital Bank, WisdomTree, and others. Following the approval of crypto exchange-traded funds in 2024, many financial institutions have seen demand for digital asset custody in the US grow significantly.
It’s unclear what the SEC’s intentions may be regarding pursuing crypto enforcement cases under Atkins. The commission has stated it will continue cases involving fraudulent activity, but dropped a complaint against Hex founder Richard Heart on April 21.
The agency has already announced it will stop investigations or lawsuits against many firms, including Ripple, Coinbase, and Kraken. All three exchanges donated or had executives who supported Trump’s 2024 campaign or inauguration fund.
Magazine: Trump’s crypto ventures raise conflict of interest, insider trading questions
The government will decide by the summer on controversial proposals to charge some households more for their electricity than others, Sky News understands.
The energy secretary Ed Miliband has been mulling over plans for “zonal pricing”, which would see different regions of the country pay different rates, based on supply and demand levels in the local area.
The idea is to attract industry to build in low-cost areas, and incentivise new electricity generation in regions where people need it most.
Supporters say zonal pricing could lower everyone’s bills to some extent by making the system more efficient – but some would fall more than others.
Critics, including renewable energy generators, warn the plans would create a postcode lottery for bills and put investors off certain areas, risking jobs.
It is not yet clear how the changes would be passed on to household bills. But it could see people in the south of England pay much more than those in parts of Scotland – though not, the government hopes, more than they do now.
Mr Miliband is expected to make his recommendation to fellow government ministers in the coming weeks, before the government decides either way by the middle of this year.
They are keen to resolve the issue – which was also considered under the last Tory government – before businesses start bidding for fresh renewable power contracts in summer.
UK still ‘vulnerable and exposed’
It comes as the UK government hosts a summit on energy security in London today, lobbying other countries to leave fossil fuels behind.
Read more: UK clean energy vision collides with Trump’s fossil fuel frenzy
Mr Miliband said the government’s push to generate more clean power at home was as much about energy security as it was about fighting climate change.
“As long as energy can be weaponised against us, our countries and our citizens are vulnerable and exposed,” he said in a speech.
But he also said North Sea oil and gas would “continue to play an important role” in the UK energy mix, fuelling campaigners’ fears it may yet allow the Rosebank oil and gas field to go ahead, despite hurdles in court and the government’s own concerns.
Mr Miliband quoted a message from King Charles that said the “transition to more sustainable energy sources can itself lead to more resilient and secure energy systems”.
Please use Chrome browser for a more accessible video player
Miliband reads King’s letter at summit
Trump’s representative invokes God
US President Donald Trump’s junior representative at the summit, acting assistant secretary Tommy Joyce, quoted the Bible in his address.
He urged delegates to “remember God’s golden rule, and that is that we should love our neighbour as ourselves”.
That means helping them out of poverty through access to affordable energy, according to Mr Joyce.
About 750 million people in the world still have no access to electricity, and team Trump says American oil, gas and coal are the answer.
However, a report by RMI suggests that new wind and solar are the cheapest option for new electricity in 82% of the world – though for some countries are hard to finance upfront.
Mr Joyce also continued Trump’s ongoing attacks on climate policies, criticising what he described as “so-called renewables” and the “net zero agenda”.
‘Most delicate debate’
Before the summit, a senior UN official said the idea that the switch to clean power compromised energy security and affordability “is just not true”.
“We really need to dispel this notion,” said the source, speaking on the condition of anonymity. “If you are dependent on volatile and expensive fossil fuel imports, fossil fuels equal energy insecurity.”
A senior official from Brazil, which in November is hosting the COP30 UN climate summit, also this week said there had been a “rather successful” attempt by some to frame energy security and the switch to clean energy as a question of “either/or”.
“We don’t believe it is.”
He called it “one of the most delicate debates” of the moment.
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports1 year agoStory injured on diving stop, exits Red Sox game
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business3 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway