Kraken Security Labs revealed that Trezor hardware wallets and their derivatives can be hacked to extract private keys. Though the procedure is quite involved, Kraken claims that it “requires just 15 minutes of physical access to the device.”
Kraken’s security division revealed that the entire family of Trezor wallets can be hacked to steal private keys, though the method requires specialized hardware. #Cryptonews #Blockchain #cryptocurrency https://t.co/eRoU0MxPbr — Cryptocurry (@CryptoCurry_Now) February 1, 2020
On January 31, it has been reported that the attack requires a physical intervention on the Trezor wallet by either extracting its chip and placing it on a special device or soldering a couple of critical connectors.
However, the Trezor chip must be connected to a “glitcher device” that would send signals at specific moments. These break the built-in protection that prevents the chip’s memory from being read by external devices.
The trick allows the attacker to read critical wallet parameters, including the private key seed.
Though the seed is encrypted with a PIN-generated key, the researchers were able to brute force the combination in just two minutes.
Likewise, the vulnerability is caused by the specific hardware used by Trezor, meaning that the company cannot easily fix it. It would need to completely redesign the wallet and recall all existing models.
Meanwhile, Kraken urged Trezor and KeepKey users to not allow anyone to physically access the wallet.
In a coordinated response published by Trezor, the team minimized the impact of the vulnerability. The company argued that the attack would show visible signs of tampering due to the need to open the device, while also noting that the attack requires extremely specialized hardware to perform.
However, the team finally suggested users activate the wallet’s passphrase feature to protect from such attacks. The password is never stored on the device as it is added to the seed to generate the private key on the fly.
Kraken also noted that this is a viable alternative, though researchers referred to it as “a bit clunky to use in practice.”
Also, the feature adds significant responsibility to each user.
Thus, the passphrase needs to be complex enough to not be easily brute-forced as well and forgetting it would completely lock users out of their money.