The hidden risk of updatable firmware
Opinion by: Igor Zemtsov, chief technology officer at TBCC
Crypto security is a ticking time bomb. Updatable firmware might just be the match that lights the fuse.
Hardware wallets have become the holy grail of self-custody, the ultimate safeguard against hackers, scammers and even government overreach. There’s an inconvenient truth, however, that most people ignore: Firmware updates aren’t just security patches.
They’re potential backdoors, waiting for someone — whether a hacker, a rogue developer or a shady third party — to kick them wide open.
Every time a hardware wallet manufacturer pushes an update, users are forced to make a choice. Hit that update button and hope for the best, or refuse to update and risk using outdated software with unknown vulnerabilities. Either way, it’s a gamble.
In crypto, a bad gamble can mean waking up to an empty wallet.
Firmware updates aren’t always your friend
Updating firmware sounds like common sense. More security! Fewer bugs! Better user experience!
Here’s the thing: Every update is also an opportunity not just for the wallet provider but for anyone with the power, or motivation, to tamper with the process.
Hackers dream of firmware vulnerabilities. A rushed or poorly audited update can introduce tiny, almost imperceptible flaws — ones that sit in the background, waiting for the right moment to drain funds. And the best part? Users will never know what hit them.
Then there’s the more unsettling possibility: deliberate backdoors.
Recent: Hardware wallet Ledger helps competitor Trezor resolve security vulnerability
Tech companies have been forced to include government-mandated surveillance tools before. What makes anyone think hardware wallet makers are exempt? If a regulatory agency — or worse, a criminal organization — wants access to private keys, firmware updates are the perfect attack vector. One hidden function. One disguised line of code.
That’s all it takes. Still think firmware updates are harmless?
Firmware vulnerabilities are already being exploited
This isn’t some far-fetched, doomsday scenario. It has already happened.
Ledger, one of the biggest names in crypto security, had a major security crisis in 2018 when security researcher Saleem Rashid exposed a vulnerability that allowed attackers to replace Ledger Nano S firmware and hijack private keys. Nearly 1 million devices were at risk before a fix was rolled out. The scary part? There was no way for users to know if their devices had already been compromised.
In 2023, OneKey suffered a similar nightmare. White hat hackers demonstrated that its firmware could be cracked in mere seconds. No crypto was lost — this time. But what if real attackers had found the flaw first?
Then came the “Dark Skippy” exploit, taking firmware-based attacks to an entirely new level. With just two signed transactions, hackers could extract a user’s entire seed phrase — without setting off a single alarm. If firmware updates can be manipulated this easily, how can anyone be sure their assets are safe?
The hidden price of updatable firmware
To be fair, not all firmware updates are security disasters. Ledger uses a proprietary operating system and secure element chips for added protection now. Trezor takes an open-source approach, allowing the community to scrutinize its firmware. Coldcard and BitBox02 give users manual control over updates, reducing — but not eliminating — risk.
Here’s the real question: Can users ever be 100% sure that an update won’t introduce a fatal flaw?
Some wallets have decided to eliminate the risk altogether. Tangem ships with fixed, non-updatable firmware, meaning that its code can never be altered once the device leaves the factory. No updates. No patches.
Of course, this approach has its trade-offs. If a vulnerability is discovered, there’s no way to fix it. But in security, predictability matters.
Real crypto security means taking back control
The crypto market was worth $2.79 trillion as of March 2025. With that much money on the table, cybercriminals, rogue insiders and overreaching governments are always looking for weak points. Hardware wallet makers should be laser-focused on security.
Choosing a hardware wallet shouldn’t feel like gambling with private keys. It shouldn’t involve blind trust in a corporation’s ability to push updates responsibly. Users deserve more than vague reassurances. They deserve security models that put control where it belongs — with them.
Security isn’t about convenience. It’s about control. Any system that requires trusting unknown developers, opaque update processes or firmware that can be changed at will? That’s not control. That’s a liability.
The only real way to keep a hardware wallet safe? Remove the guesswork. Strip away the blind trust. Always research the developers’ backgrounds, check their track record for security incidents, and see how they’ve handled past vulnerabilities. Stick to verifiable facts — security should never be based on assumptions.
Opinion by: Igor Zemtsov, chief technology officer at TBCC.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Politics
Sir Keir Starmer set for Donald Trump trade talks as PM walks diplomatic line between EU allies and US on Gaza
Gaza and transatlantic trade are set to dominate talks between Donald Trump and Sir Keir Starmer when the pair meet in Scotland on Monday.
Downing Street said the prime minister would discuss “what more can be done to secure the ceasefire [in the Middle East] urgently”, during the meeting at the president’s Turnberry golf course in Ayrshire.
Talks in Qatar over a ceasefire ended on Thursday after the US and Israel withdrew their negotiating teams.
Mr Trump blamed Hamas for the collapse of negotiations as he left the US for Scotland, saying the militant group “didn’t want to make a deal… they want to die”.
Sir Keir has tried to forge close personal ties with the president, frequently praising his actions on the world stage despite clear foreign policy differences between the US and UK.
The approach seemed to pay off in May when Mr Trump announced the agreement of a trade deal with the UK that would see several tariffs lowered.
The two leaders are expected to discuss this agreement when they meet, with the prime minister likely to press the president for a lowering of outstanding tariffs on imports such as steel.
Prior to the visit, the White House said the talks would allow them to “refine the historic US-UK trade deal”.
Extracting promises from the president on the Middle East may be harder though.
Please use Chrome browser for a more accessible video player
Should aid be dropped into Gaza?
Despite some reports that Mr Trump is growing frustrated with Israel, there is a clear difference in tone between the US and its Western allies.
As he did over the Ukraine war, Sir Keir will have to walk a diplomatic line between the UK’s European allies and the White House.
On Thursday, French President Emmanuel Macron announced his country would formally recognise a Palestinian state in September, the first member of the G7 to do so.
That move was dismissed by Mr Trump, who said it “doesn’t carry any weight”.
Read more from Sky News:
US and EU agree trade deal – with bloc facing 15% tariffs
Geldof accuses Israel of ‘lying’ about Gaza starvation
Please use Chrome browser for a more accessible video player
Trump: ‘It doesn’t matter what Macron says’
The UK, French and German leaders spoke over the weekend and agreed to work together on the “next phase” in Gaza that would see transitional governance and security arrangements put in place, alongside the large-scale delivery of aid.
Under pressure from members of his own party and cabinet to follow France and signal formal recognition of Palestine, Sir Keir has gradually become more critical of Israel in recent months.
On Friday, the prime minister said “the starvation and denial of humanitarian aid to the Palestinian people, the increasing violence from extremist settler groups, and Israel’s disproportionate military escalation in Gaza are all indefensible”.
Government sources say UK recognition is a matter of “when, not if”, however, it’s thought Downing Street wants to ensure any announcement is made at a time when it can have the greatest diplomatic impact.
Please use Chrome browser for a more accessible video player
Baby Zainab starved to death in Gaza
Cabinet ministers will be convened in the coming days, during the summer recess, to discuss the situation in Gaza.
The UK has also been working with Jordan to air drop supplies, after Israel said it would allow foreign countries to provide aid to the territory.
President Trump’s trip to Scotland comes ahead of his second state visit to the UK in September.
Listen to The World with Richard Engel and Yalda Hakim every Wednesday
Downing Street says Ukraine will also likely be discussed in the meeting with both men reflecting on what can be done to force Russia back to the negotiating table.
After the meeting at Turnberry, the prime minister will travel with the president to Aberdeen for a private engagement.
Mr Trump is also expected to meet Scottish First Minister John Swinney while in the country.
The US housing regulator’s decision to recognize crypto assets in mortgage applications marks a historic shift from exclusion to integration, opening new pathways to homeownership.
Politics
Govt vows to protect ‘pavement pints’ and make it easier for pubs to extend their opening hours
“A wave of new cafes, bars, music venues and outdoor dining” could come to the UK – as the government unveils plans to overhaul planning rules and “breathe new life into the high street”.
Under the proposals, ministers also want to reform licensing rules to make it easier for disused shops to be converted into hospitality venues.
In a statement, Chancellor Rachel Reeves said she planned to scrap “clunky, outdated rules… to protect pavement pints, al fresco dining and street parties”.
The reforms also aim to prevent existing pubs, clubs, and music venues from suffering noise complaints when new properties hit the market.
Developers who decide to build near those sites will be required to soundproof their buildings.
Reuters file pic
As part of dedicated “hospitality zones”, permission for al fresco dining, street parties and extended opening hours will be fast-tracked.
The government says the reforms aim to modernise outdated planning and licensing rules as part of its Plan for Change, to help small businesses and improve local communities.
The rough plans will be subject to a “call for evidence” which could further shape policy.
Business Secretary Jonathan Reynolds said the proposals will “put the buzz back into our town centres”.
“Red tape has stood in the way of people’s business ideas for too long. Today we’re slashing those barriers to giving small business owners the freedom to flourish,” he said.
The hospitality industry has broadly welcomed the changes but argued tax reform was also essential.
Kate Nicholls, chairwoman of UKHospitality, described the proposals as “positive and encouraging”.
However, she added: “They can’t on their own offset the immediate and mounting cost pressures facing hospitality businesses which threaten to tax out of existence the businesses and jobs that today’s announcement seeks to support.”
Read more from Sky News:
Licensing reforms for London venues
Pubs forced to adapt to survive
While supporting the reforms, Emma McClarkin, chief executive of the British Beer and Pub Association (BBPA), had a similar message.
“These changes must go hand in hand with meaningful business rates reform, mitigating staggering employment costs, and a cut in beer duty so that pubs can thrive at the heart of the community,” she said.
In July, BBPA estimated that 378 pubs will shut this year across England, Wales and Scotland, compared with 350 closures in 2024, which it said would amount to more than 5,600 direct job losses.
Please use Chrome browser for a more accessible video player
Pubs closing at a rate of one a day
Bar chain Brewdog announced this week that it would close 10 sites, partly blaming “rising costs, increased regulation, and economic pressures”.
Andrew Griffith MP, shadow business secretary, said: “Though any cutting of red tape for hospitality businesses is welcome, this is pure hypocrisy and inconsistency from Labour.”
He said the government was “crippling the hospitality industry by doubling business rates, imposing a jobs tax and a full-on strangulation of employment red tape”.
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports1 year agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Sports2 years agoButton battles heat exhaustion in NASCAR debut
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike