Hardware wallets move private keys off the internet and onto a device that signs transactions. They still need a way to receive unsigned transactions and send back signatures. That link is typically USB (wired), Bluetooth (wireless), or NFC (short-range wireless).
Which should you use? It depends on threat model. Want full control? Wired is usually preferred.
Trezor models are designed as USB-first hardware wallets. In my testing, USB connections were stable and consistent across desktop and mobile via USB-OTG adapters. And yes, that means there is no built-in Bluetooth or NFC to worry about on a standard device (so queries like "bluetooth trezor" or "trezor bluetooth safe" are largely moot: there is no native Bluetooth implementation to evaluate).
For device-specific setup and first-time screens see the step-by-step unboxing and setup guide. Firmware updates are performed over USB through official apps — always verify firmware authenticity as described in firmware-updates-verification.
Connection choice changes the attack surface. Hardware wallets protect private keys by isolating them on-device and requiring on-device confirmation for transactions. But the host (computer or phone) and the transport channel still matter.
Secure element chips (dedicated tamper-resistant chips) are one way to harden a device against certain physical and remote attacks. Some hardware wallet designs use a secure element; others prioritize an auditable open-source architecture instead. Read more in secure-element-explained.
Two important concepts:
| Connection | Typical range | Convenience | Primary risks | Mitigations | Notes |
|---|---|---|---|---|---|
| USB (wired) | Physical cable | High for desktop use | Compromised host; malicious cables (BadUSB) | Verify on-device details; use trusted cables; keep host clean | Common for Trezor devices |
| Bluetooth (wireless) | ~10–100 ft | High for mobile use | Pairing attacks, eavesdropping, MitM | Strong pairing, authenticated encryption, secure element | Adds convenience but increases attack surface |
| NFC (tap) | <4 in | Very convenient for phones | Relay attacks; close-proximity skimming | Confirm on-device details; short-range limits some threats | Good for quick mobile ops, still needs careful UX |
Below are attack patterns I see most often and practical steps to reduce risk.
But remember: physical security matters too. A stolen device with an exposed or easy-to-guess PIN can be broken into.
Air-gapped signing avoids connecting your hardware wallet directly to an internet-facing host. Here’s a high-level PSBT (Partially Signed Bitcoin Transaction) flow you can adapt.
Step by step:
This removes the live host from the signing moment and limits host-side tampering. For detailed instructions see air-gapped-signing-psbt.
Daily usage workflows favor convenience. For most people, using a hardware wallet over USB for frequent transactions balances usability and safety. Keep smaller amounts on a mobile-friendly solution if you need speed. (That's personal preference.)
Long-term storage should emphasize redundancy and minimum exposure:
Who this setup suits:
Who might look elsewhere:
In my experience, different choices fit different needs. There's no one-size-fits-all.
Q: Is Bluetooth safe for a hardware wallet? A: It can be, if the wallet implements strong pairing, authenticated encryption, and a secure element. But Bluetooth increases the attack surface compared with wired USB. If your hardware wallet lacks Bluetooth (as most Trezor models do), you don't face that particular wireless risk.
Q: Is NFC secure for a hardware wallet? A: NFC is short-range and convenient, but it can be vulnerable to relay attacks if an attacker is physically close. Always verify transaction details on the device.
Q: Can I recover my crypto if the device breaks? A: Yes. Recovery is done with your seed phrase on any compatible non-custodial wallet. See recovering-a-trezor and seed-phrase-basics.
Q: What happens if the company goes bankrupt? A: Ownership of crypto depends on your seed phrase, not the company. As long as your seed phrase is safe and you use standard key formats, you can recover funds elsewhere.
Q: Should I use a passphrase (25th word)? A: Passphrases add security but also add complexity and risk of permanent loss if you forget them. Read passphrase-guide-25th-word before enabling.
Wired USB keeps things simple and reduces wireless attack vectors; wireless options add convenience at the cost of a broader attack surface. Choose the trade-offs that match your threat model. In my testing, consistent on-device verification and careful firmware checks prevented the kinds of issues that surprise most users.
Want a practical next step? Follow the step-by-step unboxing and setup guide and read firmware-updates-verification before you connect a device to the internet. And if you're planning high-value holdings, consider multisig and air-gapped workflows (links above).
Related reading: trezor-security-overview · secure-element-explained · air-gapped-signing-psbt