December 10, Kraken Security Labs research company said they discovered a vulnerability in KeepKey hardware cryptocurrency wallet. It allows an attacker who gained physical access to the device to crack it in just 15 minutes, spending $ 75 on all this.
It will be difficult to fix the vulnerability - manufacturermust change the wallet at the hardware level. The problem is inherent not only to KeepKey, but also to other crypto wallets. Mining-Cryptocurrency.ru understood the conclusions of experts and what other vulnerabilities of hardware wallets should cryptocurrency holders know?
How to hack KeepKey in 15 minutes and $ 75?
The essence of the attack: Using the “voltage glitching” attack, the fraudster can get an encrypted seed phrase (a set of randomly generated words that can be used to restore access to the wallet), and at the same time access to funds.
The method requires specialized equipment andknowledge, but for an experienced attacker simple. He just needs to get the device in his hands. Then he uses a cheap device that causes a malfunction in the microcontroller due to a voltage drop. Such devices are not sold on the market, but according to experts, they can be created independently for only $ 75.
After that, the wallet opens access toseed phrase, requiring a nine-digit PIN. It is easily selected using the "exhaustive search" method. Everything - there is access to funds. The whole process takes 15 minutes. If you are technically savvy, read a detailed Kraken Security Labs expert report on the process and results of breaking a wallet.
Vulnerability is characteristic for every wallet.KeepKey in circulation. Kraken Security Labs experts noted that it would be difficult for the manufacturer to quickly fix the vulnerability with a simple update - unfortunately, firmware that was not immune to crashes did not appear. The problem is inherent in microcontrollers, and to solve it requires a hardware update of the device.
KeepKey developers aware of the problem
KeepKey Wallets sells ShapeShift crypto exchange,who bought the manufacturer in 2017. Back in April 2019, an “ethical hacker” Sergey Volokitin managed to crack a wallet and install its own software on it, causing a voltage failure.
The company is aware of the vulnerability, but believes thatreliably copes with its main task - to protect user keys from remote attacks. Representatives of ShapeShift believe that the probability of loss of funds is minimal. An attacker must obtain a wallet, and also have specialized knowledge, skills and experience in the field of hardware design, software development and a program for cracking a PIN code.
“If someone else gets physicalaccess to your device, and also has the necessary time, skills and tools, he can always do whatever he wants with the device, bypassing any existing digital lock, - wrote the company in June.
Again, this applies to any hardware wallet. ”
The manufacturer promised to make the firmware less susceptible to a voltage failure attack. But, as we see, the vulnerability was not completely eliminated.
Vulnerabilities of Ledger Wallets
The main manufacturers of hardware wallets areLedger, Trezor, KeepKey, Digital BitBox, Coinkite, BitLox, CoolWallet and CryoBit. Each of the manufacturers of top-end hardware crypto-wallets promises to provide the highest level of protection for funds. However, “ethical hackers” and cybersecurity experts have found a way to crack each one.
Trezor and Ledger devices are the most popular onthe market. In terms of hardware and firmware, KeepKey is very similar to Trezor's Model T. The only significant differences can be found in housing, design and architecture, as well as in software.
In December 2018, a number of device vulnerabilitiesTrezor and Ledger were discovered by Wallet.fail experts. The problems were in software and hardware, firmware, and the web interface. Hacking wallets experts demonstrated publicly at the 35th annual conference Chaos Communication Congress. Researchers noted that wallets exhibit systemic and recurring problems. You can get rid of some of them by replacing the microcontrollers or updating the firmware.
Ledger and Trezor wallets are designed differently. The first uses two microcontrollers: a special cryptographic Secure Element and a universal one that manages an external connection and confirms transactions. Hacking a cryptographic chip is difficult, but universal - no.
Here's what the researchers did during the demonstration:
- In the wallet Ledger experts added an inexpensivea $ 3 hardware implant that remotely confirms a transaction. Experts noted that, most likely, in this way you can hack any device. Later, the manufacturer replied that this was an “impractical scenario” and that the danger should not be exaggerated.
- In Ledger Nano S managed to crack the bootloader andreflash device. The wallet has protection against such interference - the firmware is checked using cryptography. However, experts found a way around it and launched the game "Snake" on a hacked wallet. Real attackers, of course, would download the module instead of the game, replacing the wallet address in outgoing transactions, and simply withdraw funds. The error has already been fixed.
- Model Ledger Blue was able to crack by interceptingPIN input using radio waves. To take advantage of the vulnerability, you must be in the immediate vicinity of the wallet when entering the PIN code. In practice, this is also an unlikely scenario. But the manufacturer promised to fix it.
In response, Ledger representatives said that the findings of the experts are interesting, but the demonstrated attacks are difficult to put into practice: they all require physical access to the device.
Trezor Wallet Vulnerabilities
Trezor vulnerabilities have been discussed since 2017,The device’s security problems were also found by an “ethical hacker” teenager Salim Rashid. The company eliminated all the holes in a few days. Rashid also identified vulnerabilities in Ledger devices that could allow malicious code to be injected into the wallet and changing the addresses of outgoing transactions. The hacker warned users against buying used devices, as they are easy to reflash. This time, the company fixed the vulnerability four months later.
Trezor's hardware wallet uses everythingone universal chip based on the ARM architecture, which is responsible for both cryptography and device connection. It would seem that hacking it should be simple, because it is enough for attackers to access only the flash memory of the wallet, which stores the seed phrase, but the developers reliably protected the firmware. Nevertheless, the Wallet.fail researchers found the trust and it through the hardware part of the wallet with direct access to the device.
Trezor wallet experts hacked the same“power failure” attack. Undervoltage caused a failure and reboot. To save the seed phrase during the update, the device placed it in RAM, which the researchers could read. Experts emphasized that this is possible only if the user has not set a password. The Trezor team recognized the vulnerabilities and promised to fix them, but emphasized that in order to exploit them, attackers must gain physical access to the wallets.
This March Attack Lab, a researchThe Ledger division also found several vulnerabilities in Model T and Model One hardware wallets of its main competitor Trezor. According to a company blog post, Ledger employees contacted Trezor to report on the vulnerabilities found. Trezor was able to solve everything but one. After that, Ledger experts shared the problems in the article, and later in public at the MIT Bitcoin Expo conference in Boston.
Attack Lab employees found the following vulnerabilities:
- Device authenticity. The protective holographic sticker can be removed with a simple hairdryer. After that, the authentic wallet can be hacked, and then left in the box, restoring the protective sticker, and returned to the manufacturer compromised. Devices can be completely simulated, since they are made from relatively affordable components - even the manufacturer may not notice the difference. Attack Lab experts believe that to eliminate the vulnerability, you need to change the design and components of wallets. It is noteworthy that Trezor themselves reported the existence of fakes of their flagship device Trezor One back in November 2018 - they are usually sold at a discount and with a low-quality hologram. The company recommended trusted sellers and distributors. However, Ledger experts believe that you can buy a fake even on the official Trezor website. Attackers can purchase the original device, crack it, and then return it back. If a company resells it, new users may lose their funds.
- Pick up a PIN using an attack on a third-party channel.
- Trezor One crypto library lacks sufficienttools to combat hardware attacks - by gaining physical access to a device, an attacker can extract a secret key through an attack on a third-party channel. Trezor previously claimed that its wallets are resistant to such an attack.
- The ability to steal sensitive data fromdevices - after gaining physical access, scammers can extract all the data stored in the device’s flash memory. The vulnerability can be eliminated by replacing the main component of the device with a “protected element chip”, in contrast to the current computer chips used in the devices. This is the only vulnerability not fixed by Trezor - for this it would be necessary to change the wallet device. Attack Lab experts recommended that users use a strong passphrase - this will reduce risks.
What precautions should be followed when working with hardware wallets?
The main risk of compromising a device is the physical access of attackers to it. If the wallet falls into the wrong hands, it will definitely be hacked - it is only a matter of time.
Scammers have an arsenal of tricks withwhich they can access the wallet’s user’s tools: an intermediary’s attack, flashing or distributing fake devices, hacking the computer to which the wallet is connected, PIN bypass, hardware implant, loss or theft of a seed phrase, simple tracking.
To secure your crypto assets, follow simple precautions:
- Buy wallets only in the official store or from distributors recommended by the manufacturer;
- When buying, check the packaging and wallet for opening;
- Keep the device in a safe place;
- Set maximum passwords and waysTransaction confirmation: multi-digit PIN codes and complex passwords, seed phrases, blocking after incorrect PIN code entry. Do not simplify your life - the more difficult it is to complete a transaction, the more reliable;
- Choose a wallet that supports multi-signature (for example, Coldcard Mk3 and Trezor T). They are difficult to use, but significantly increase the level of security;
- Recheck the recipient address before the transaction. In most newer devices, the display shows the full wallet address, but in earlier models not all numbers may be visible. If you do not see at least the last 10 characters of the recipient's wallet, be safe using one-time passwords;
- Make sure no one sees you enter your PIN and passwords. Fraudsters can remotely turn on your webcam or even set up a hidden one.
Hardware Wallets Still Reliable
Hardware wallets can protect fundsclients from the most common attacks: viruses, malware and hackers. At the same time, devices are just as helpless as any other wallets when it comes to protecting client devices from physical attacks.
But do not rush to throw away your hardware wallet or look for an alternative, because:
- Firstly, they haven’t come up with anything more reliable.
- Secondly, if attackers do not get them in your hands, your crypto assets are most likely not to be lost.
- Thirdly, manufacturers are introducing new solutions to protect users ’funds: biometrics, geolocation, smart cards, new encryption algorithms.
It’s important that manufacturers recognize problemssecurity and are working to eliminate them. They have bounty support programs, and they try to fix the identified vulnerabilities as soon as possible. When choosing a wallet, pay attention to the openness of the manufacturer and its willingness to solve the security problems of their devices.
What do you think of hardware wallet security? Have you lost funds from them? Share your thoughts and stories in the comments section below!