Since they are not connected to the Internet, Hardware Wallets are rightly considered to be one of the safest ways to store your crypto assets. However, they are not infallible either. The latest proof of this was provided by the Kraken Security Labs.
The Kraken Security Labs have detected a security vulnerability in hardware wallets of the brand Trezor. The security team of the Bitcoin exchange Kraken needed less than 15 minutes to read all relevant data from the devices in the course of an attack. Both the Trezor One and the Trezor Model T. Kraken published the details of the attack on January 31, but informed the Trezor team about the vulnerability on October 30, 2019. The wallet manufacturers have since reacted with their own statement.
The Kraken Security Labs succeeded in the attack with the help of a device that generates “voltage spikes”. According to the team, apart from immediate physical access to the devices, criminals only needed technical know-how and not too expensive technical equipment. The attack directly targeted the STM32 microchip built into the Trezor devices. Since the security hole is based on the design of the devices themselves, it cannot be easily fixed. Both Kraken and Trezor strongly advise users to enable the BIP39 passphrase in the Trezor client. Since it is not stored in the devices themselves, it is an effective protection against such attacks.
By the way, KeepKey wallets also use a similar hardware architecture, which is why they are also affected by a corresponding vulnerability. The team from Kraken Security Labs therefore emphasized that manufacturers should not rely on hardware as the only security layer. In particular, they consider the STM32 chips unsuitable for storing Bitcoin keys and other sensitive data. Despite Kraken’s findings, users of Trezor and similar devices should not rush to panic. After all, the majority of crypto thefts still occur via the Internet.
Octopus took only 15 minutes
The Kraken Security Labs give a detailed report about the attack on the Trezor devices in their blog post. According to this report, they proceeded as follows:
“Our attack begins by reactivating the processor’s integrated boot loader through an error injection attack. This integrated boot loader has the function of reading the flash content of the device, but checks the protection of the chip while the command is being executed. By using a second error injection attack, it is possible to bypass this check, and then the entire flash content of the device can be extracted 256 bytes at once. By repeating the attack, it is possible to extract the entire Flash content.”
Once the team had extracted the content in this way, the only thing left to do was to crack the PIN that protected the keys to the crypto assets. To do this, the Kraken team resorted to a brute force attack. The PIN could thus be broken in less than two minutes.