Kraken Security Labs: Hackers can exploit Trezor hardware wallets with only 15 minutes of physical access to the device

Quick Take

  • Kraken Security Labs announced that they had performed an attack against Trezor’s cryptocurrency hardware wallets and found that hackers can extract the seeds in under 15 minutes.
  • The flaw is inherent to the wallet hardware and cannot be fixed, according to Kraken, but users can protect their assets by turning on the BIP39 passphrase and ensuring physical control over their wallets.

Kraken Security Labs has identified a critical security flaw in Trezor’s cryptocurrency hardware wallets, which allows hackers to extract seeds in under 15 minutes.

In a Friday blog post, Kraken claimed that hackers can possibly exploit voltage glitching and extract encrypted seeds from the Trezor One and Trezor Model T wallets with only 15 minutes of physical access to the device. 

Trezor has been aware of this vulnerability since designing the products, the post contended. Before publicly announcing the security flaw, Kraken in Oct. 2019 revealed details of the attack to Trezor. Ledger’s security team, Ledger Donjon, also conducted similar research last year. 

According to Kraken Chief Security Officer Nick Percoco, the flaw is an inherent to the microcontroller used in Trezor's wallets, which is why the vulnerability persists despite Trezor's knowledge of it. 

"It's a flaw that's present in the hardware, not something they can just put a formal update on and fix it for all their customers," he told The Block. "To address this problem, they would essentially need to put out a new device."

Following Kraken's blog post, Trezor cited in a tweet its official response to Ledger’s research dated Mar. 2019. According to the response, the attack cannot happen remotely and will not work if users turn on the BIP 39 passphrase. 

"Physical access is a threat to 6-9% of people, according to our research," Trezor said in a subsequent tweet. "If a physical access is a part of someone's threat model, we advice to use a Passphrase feature. But again, physical access is not a widespread case."

Percoco confirmed Trezor's claims. "We would not have been able to perform this attack if there were a BIP 39 passphrase, but unfortunately, the passphrase is an optional addition that not all users enable," he said. " So the real recommendations here are, one, make sure that you are controlling physical access to your Trezor wallet, and, two, add that that additional passphrase to the wallet."

Kraken previously performed a similar attack against the KeepKey wallet. In light of the two sets of research, Kraken concluded in the blog post that "these chips are not designed to store secrets and... vendors like Trezor and KeepKey should not solely rely on them to secure your cryptocurrency."

Percoco said Kraken decided to make the announcement in order to bring awareness to this kind of vulnerability. 

"This is for our clients and for the users within the Bitcoin community to be aware that they need to take the additional precautions when using a hardware wallet to ensure that their seeds are protected," he said. 

© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Trending Stories

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.

The Era of dFMI for Institutional Digital Asset Markets

Post-trade in capital markets today operates primarily based on provision of balance-sheet to off-set counterparty risk, either directly or indirectly, via settlement agents, CCPs and CSDs etc.  The issues with this ‘hub and spoke’ model are well known, including the resulting massive duplication of data, bifurcated processes, concentration of risk and subsequent deployment of capital and resources that could be better utilized. 
Read Full Story
Sponsored Post

Retail traders are here to stay, says eToro's US CEO

On this episode of The Scoop, eToro's newly appointed US lead Lule Demmissie explained why she doesn't see retail's newfound presence in the market subsiding anytime soon and how eToro plans to capitalize on growing the business across cryptocurrencies and stock trading.
Read Full Story
Jan 26, 2022, 4:23PM UTC