Kraken Security Labs announced today that the Trezor hardware wallet has a software flaw that makes it vulnerable to hacking attacks. These wallets can be hacked in less than 15 minutes.
The details of the case
According to Kraken, Trezor Model T and Trezor One have a security flaw which makes the physical theft of seed possible in just 15 minutes. They said that hacking could be done using equipment costing a few hundred dollars. In an even scarier note, they added,
“We estimate that we (or criminals) could mass-produce a consumer-friendly glitching device that could be sold for about $75.”
The flaw that Kraken’s team found could only work if the hackers have physical access to the hardware wallet. To fix the flaw, Trezor will have to overhaul the entire underlying design of its products, including the replacement of core components. They use general-purpose chips in their wallets right now but may be forced to move to microcontrollers.
In its blog, Kraken also wrote that the chips being used by Trezor are cannot be used for storing secrets. They emphasized that KeepKey, Trezor, and similar vendors should not rely on the chips to secure cryptocurrencies for users.
A PIN is not secure anymore
According to the research team, the 1-9-digit PIN used in hardware wallets is not enough to protect the assets of the users against an attack, especially if the attacker has physical access to the wallet. They could use brute force to unlock the device. Kraken suggested Trezor users activate their BIP39 Passphrase using a Trezor client to secure the wallet. The BIP39 Passphrase is generally clunky but it is not stored on the user’s device. Therefore, it provides an additional layer of protection to the users.
The Kraken team found the security vulnerability in Trezor wallets in October. They immediately informed the company and have chosen to go public with the findings now. They said that the KeepKey wallet also has similar vulnerabilities that allow hackers to bypass their protection.
Trezor commented on the blog post and said that users should never share access to their wallets and use the Passphrase feature to ensure that their funds remain safe in their wallets. They also tried to underplay the attack, saying that any hardware can be hacked, and the larger problems to users are remote and online attacks.