Employees of the research company Kraken Security Labs discovered a vulnerability in cryptocurrency hardware KeepKey wallet, through which attackers can gain access to the user's assets.
Researchers reported that having physicalaccess to the device, an attacker can extract an encrypted seed phrase protected by a PIN code that contains from 1 to 9 digits, since such protection is cracked by simple brute force attacks. At the same time, it is impossible to eliminate the vulnerability, since for this KeepKey needs to change the wallet at the hardware level.
"Attack called" power failure "made on the microcontroller used in KeepKey wallets. With the help of certain malicious manipulations with power, it is possible to influence the first element of the software downloaded by the device, in this case the “BootROM code,” said Kraken Security Labs employees.
Assemble a device that can holdA similar attack can be made for about $ 75, however, researchers described how users can protect themselves from hacking. First, you need to try so that no one except the user has physical access to the device. If a user loses a device or is stolen, this vulnerability can be used to access cryptocurrency assets.
Also cybersecurity expertsrecommend adding the passphrase BIP39 through the KeepKey Client extension. This passphrase is a bit inconvenient to use, but is not stored on the device and, therefore, is not vulnerable to attack. Researchers noted:
“Despite the fact that the bulk of the code baseKeepKey is based on Trezor One, yet they have differences. KeepKey developers added several mechanisms that were supposed to make the wallet firmware immune to failure attacks. Similar attacks were demonstrated at the Wallet.Fail event, but it turned out that all these measures were ineffective. ”