Kraken’s security division revealed that the entire family of Trezor wallets can be hacked to steal private keys, though the method requires specialized hardware.
Kraken Security Labs revealed on Jan 31. that Trezor hardware wallets and their derivatives can be hacked to extract private keys. Though the procedure is quite involved, Kraken claims that it “requires just 15 minutes of physical access to the device.”
The attack requires a physical intervention on the Trezor wallet by either extracting its chip and placing it on a special device or soldering a couple of critical connectors.
The Trezor chip must then be connected to a “glitcher device” that would send it signals at specific moments. These break the built-in protection that prevents the chip’s memory from being read by external devices.
The trick allows the attacker to read critical wallet parameters, including the private key seed.
Though the seed is encrypted with a PIN-generated key, the researchers were able to brute force the combination in just two minutes.
The vulnerability is caused by the specific hardware used by Trezor, meaning that the company cannot easily fix it. It would need to completely redesign the wallet and recall all existing models.
In the meantime, Kraken urged Trezor and KeepKey users to not allow anyone to physically access the wallet.
In a coordinated response published by Trezor, the team minimized the impact of the vulnerability. The company argued that the attack would show visible signs of tampering due to the need to open the device, while also noting that the attack requires extremely specialized hardware to perform.
Finally, the team suggested users activate the wallet’s passphrase feature to protect from such attacks. The password is never stored on the device as it is added to the seed to generate the private key on the fly. Kraken also noted that this is a viable alternative, though researchers referred to it as “a bit clunky to use in practice.”
The feature also adds significant responsibility to each user. The passphrase needs to be complex enough to not be easily brute forced as well, and forgetting it would completely lock users out of their money.
Cointelegraph reached out to Kraken for additional details, but had not received a response as of press time. The article will be updated as more information becomes available.
Source: , CoinTelegraph
Articles listed with Cash Tech News as the author are either general information, or may have been imported from another website, to bring our readers a rich media experience that encompasses articles that we find interesting, as well as those curated by others.
The views and opinions expressed here are for informational purposes only, and should not be confused with professional financial advice. These opinions are solely those of the author and do not necessarily reflect the views of CashTechNews.com. Every investment and trade involves risk. You should conduct your own research, and contact your professional financial advisor before making any investment.
Corrections, feedback, and ideas should be submitted through the website contact form.