According to Cointelegraph reported on February 1, Kraken Security Labs recently announced that Trezor hardware wallets and their derivatives can be used to steal private keys. Although the entire theft process is quite complicated, Kraken claims that hackers "simply perform physical access to the device in 15 minutes to succeed".
(Image source: flickr )
- New Zealand: IRD proposes to waive taxes on some cryptocurrencies to boost industry development
- New York On Its Way To Becoming A Hub Of New Crypto Businesses
- "Palace Fight" triggered by an acquisition: Steemit team declares war on the community
- How does the Fed's unlimited "print money" affect the crypto market?
- Analysis | Which blockchain projects have the largest number of giant whales in the "ocean"?
- 2020: The year Wall Street takes over cryptocurrencies
This attack requires physical intervention in the Trezor wallet by extracting its chip and placing it on a special device, or soldering several key connectors.
The Trezor chip must then be connected to a "faulty device" that sends a signal to it at a specific moment. The device broke the Trezor chip's built-in protection that prevented external devices from reading its memory. This process allows an attacker to read key wallet parameters, including the private key seed. Although the private key seed was encrypted with a key generated by a PIN, the researchers cracked the password within two minutes.
The vulnerability was caused by Trezor's use of specific hardware, and the company may not be able to easily fix the hardware issue. It requires the company to completely redesign the wallet and recall all existing models.
At the same time, Kraken Labs urged users of Trezor and KeepKey not to let anyone easily get their own hardware wallet.
Trezor responded to the matter, and the team believes that the probability of this vulnerability being exploited by hackers is not high. The company argues that the attack will show clear signs of tampering as hackers need to turn on the device, while also pointing out that the attack requires extremely specialized hardware to perform.
The Kraken research team finally recommended that users activate the wallet's passphrase (a double private key set by the user) to avoid such attacks. The passphrase is not stored on the device, it is a dynamically generated private key. Although researchers consider passphrase "complicated in practice," Kraken notes that this is a viable option.
If users want to set a passphrase, they need to make it complicated enough to not be easily cracked by force. If the user forgets it, they will never be able to access the cryptocurrency in the wallet.
Cointelegraph contacted Kraken Labs for more details, but no response has been received as of press time.