Kraken Security Labs: Hackers can exploit Trezor hardware wallets with only 15 minutes of physical access to the device
January 31, 2020, 11:52AM EST · 2 min read
- Kraken Security Labs announced that they had performed an attack against Trezor’s cryptocurrency hardware wallets and found that hackers can extract the seeds in under 15 minutes.
- The flaw is inherent to the wallet hardware and cannot be fixed, according to Kraken, but users can protect their assets by turning on the BIP39 passphrase and ensuring physical control over their wallets.
Kraken Security Labs has identified a critical security flaw in Trezor’s cryptocurrency hardware wallets, which allows hackers to extract seeds in under 15 minutes.
In a Friday blog post, Kraken claimed that hackers can possibly exploit voltage glitching and extract encrypted seeds from the Trezor One and Trezor Model T wallets with only 15 minutes of physical access to the device.
Trezor has been aware of this vulnerability since designing the products, the post contended. Before publicly announcing the security flaw, Kraken in Oct. 2019 revealed details of the attack to Trezor. Ledger’s security team, Ledger Donjon, also conducted similar research last year.
According to Kraken Chief Security Officer Nick Percoco, the flaw is an inherent to the microcontroller used in Trezor's wallets, which is why the vulnerability persists despite Trezor's knowledge of it.
"It's a flaw that's present in the hardware, not something they can just put a formal update on and fix it for all their customers," he told The Block. "To address this problem, they would essentially need to put out a new device."
Following Kraken's blog post, Trezor cited in a tweet its official response to Ledger’s research dated Mar. 2019. According to the response, the attack cannot happen remotely and will not work if users turn on the BIP 39 passphrase.
"Physical access is a threat to 6-9% of people, according to our research," Trezor said in a subsequent tweet. "If a physical access is a part of someone's threat model, we advice to use a Passphrase feature. But again, physical access is not a widespread case."
Percoco confirmed Trezor's claims. "We would not have been able to perform this attack if there were a BIP 39 passphrase, but unfortunately, the passphrase is an optional addition that not all users enable," he said. " So the real recommendations here are, one, make sure that you are controlling physical access to your Trezor wallet, and, two, add that that additional passphrase to the wallet."
Kraken previously performed a similar attack against the KeepKey wallet. In light of the two sets of research, Kraken concluded in the blog post that "these chips are not designed to store secrets and... vendors like Trezor and KeepKey should not solely rely on them to secure your cryptocurrency."
Percoco said Kraken decided to make the announcement in order to bring awareness to this kind of vulnerability.
"This is for our clients and for the users within the Bitcoin community to be aware that they need to take the additional precautions when using a hardware wallet to ensure that their seeds are protected," he said.
© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.