The security research team at Kraken has found a way to hack into the popular Trezor bitcoin hardware wallet. In merely 15 minutes with physical access to the device, the team extracted seeds from the wallet.
Only works if hacker has physical access to the wallet
According to Kraken Security Labs, breaking into a Trezor wallet is possible through the usage of cheap equipment. By conducting a voltage glitch-based attack, hackers can extract keys from the wallet and therefore withdraw funds from it.
“This attack relies on voltage glitching to extract an encrypted seed. This initial research required some know-how and several hundred dollars of equipment, but we estimate that we (or criminals) could mass produce a consumer-friendly glitching device that could be sold for about $75,” the team explained.
For a hacker to carry out such an attack, it requires the right equipment and knowledge to break into a hardware wallet. Still, when a hardware wallet is lost, if the private keys stored within the wallet can be extracted, it leaves the wallet vulnerable to theft.
Can it be fixed?
The part of the wallet that is triggering this vulnerability is the hardware side. The structure the chip, which according to Kraken is not designed to securely hold data, makes the wallet open to the voltage glitching attack.
Kraken Security Labs said:
“The attack takes advantage of inherent flaws within the microcontroller used in the Trezor wallets. This unfortunately means that it is difficult for the Trezor team to do anything about this vulnerability without a hardware redesign.”
For Trezor, other than integrating redesigned chips in new bitcoin hardware wallets to prevent the attack from happening, there is little the company can do to existing models.
There is a way to prevent the attack
In an extensive blog post, the Trezor team noted that the entire attack can be mitigated if the user has a strong passphrase.
Simply put, by using the passphrase feature on a Trezor device, the hardware wallet can be protected from potential voltage glitch attacks.
“It’s important to note that this attack is viable only if the Passphrase feature does not protect the device. A strong passphrase fully mitigates the possibilities of a successful attack,” the Trezor team explained.
Bitcoin security is still difficult
Security experts encourage cryptocurrency investors to hold onto their private keys through non-custodial wallets and hardware wallets. That way, no one else has access to the funds but the investor.
But, individuals that lack basic knowledge around bitcoin and cryptocurrencies in general may not be aware of potential vulnerabilities or consequences of losing private keys.
And as such, securely storing bitcoin independently remains a challenging task for newcomers.
Kraken also previously published its successful attempt at breaking into a KeepKey device, another popular hardware wallet.