Kraken Security Labs has made public of a critical flaw in Trezor’s hardware wallets. More specifically, the Trezor One and Trezor Model T. Alarmingly, the security team did it in 15 minutes. Kraken is now advising Trezor hardware wallet users to avoid giving their wallets to strangers. Additionally, users should enable their BIP39 Passphrase.
Trezor Cannot Do Anything About It
The Kraken security team has in the last couple of hours released an article and a corresponding video showing how the Trezor hardware wallet can be hacked. The team noted on their post how intruders would go about.
“This attack relies on voltage glitching to extract an encrypted seed. This initial research required some know-how and several hundred dollars of equipment, but we estimate that we (or criminals) could mass-produce a consumer-friendly glitching device that could be sold for about $75.”
The post continues…
“We then crack the encrypted seed, which is protected by a 1-9 digit PIN, but is trivial to brute force.”advertisement
The Kraken team notes that the attacks fall to the “inherent flaws within the microcontroller.” This means that Trezors cannot do anything about it without redesigning the hardware.
The post has also mentioned that other security firms such as Ledger Donjon, and Trezor themselves knew of the problem but Kraken is the first team to go public.
Trezor has responded confirming that it is true that attackers can tamper with users’ devices. They further note that this would be visible as the attacker would have to physically open the case to access the device’s STM32 microchips. Like Kraken, they advise that you keep your device away from strangers. However, on the use of the passphrase, they recommend you ask yourself a number of questions before proceeding.
“Are you able to create a strong and memorable passphrase? Does anyone know how many bitcoins do you have? Do you possess enough bitcoins to become a worthy target?”
Physical hardware wallets have been one of the best answers for cryptocurrency holders on keeping their cryptocurrencies safe. This is because online wallets are exposed to millions of people around the world through the internet. This critical flaw in some Trezor models shows that hardware wallets are not the final answer and cryptocurrency holders need to be cautious.