Kraken Hacked Trezor’s Hardware Wallets in 15 Minutes
Trezor’s hardware wallets just got kracked.
Given physical access to the device and sufficient know-how, the attack can be executed in approximately 15 minutes using ~$75-worth of specialized glitching hardware.
To make things worse, there’s nothing Trezor can do about it. The attack exploits a vulnerability in the firmware which leads to an inherent hardware vulnerability that cannot be patched without making substantial physical changes the device.
The problem namely lies with two micro-controllers Trezor hardware wallets use to store cryptographic seeds and other sensitive data. (More specifically, the STM32-based Cortex-M3 and Cortex-M4 micro-controllers.)
Using some apt voltage glitching, Kraken managed to corrupt the micro-controllers, extract the encrypted flash-contents, and then fully compromise the security of the device’s contents by brute forcing the PIN code — all in under two minutes.
“This attack demonstrates that the STM32-family of Cortex-M3/Cortex-M4 microcontrollers should not be used for the storage of sensitive data such as cryptographic seeds even if these are stored in encrypted form.”
The Kraken Security Lab also pointed out that Trezor has long known about this issue. Back in July 2019, Ledger’s security team was the first to perform a similar attack and expose this critical, ‘un-patchable’ vulnerability native to all Trezor and KeepKey hardware wallets.
In their defense, Trezor dismisses the severity of the issue, stating that none of the attacks are exploitable remotely and that “the demonstrated attack vectors require physical access to the device, specialized equipment, time, and technical expertise.”
To put that in perspective — that’s 15 minutes of physical access to the device, a $75-worth of “specialized equipment” and a thorough read of Kraken’s step-by-step guide.
How To Protect Yourself?
You know what to do.
| () | ________ _ _)
|/ | | | |
`—` "-" |_|#ProofOfKeys
— Trezor (@Trezor) January 3, 2020
Trezor or KeepKey crypto hardware wallet users should keep a close eye on their device and enable the BIP39 passphrase using the Trezor Client. The BIP39 passphrase is not stored directly on the device, which means that the cryptocurrency will remain safe even if an attacker gets ahold of the physical wallet.