Kraken Security Labs today disclosed a glaring flaw in the Trezor’s flagship hardware wallets, Trezor One and Trezor Model T, which allows attackers to steal the data stored within the devices.
What is worse, Cybersecurity researchers claim that the physical theft of encrypted seed can happen within 15 minutes of gaining access to the crypto wallet. They added that their planned attack required some know-how and equipment worth a few hundred dollars.
“We estimate that we (or criminals) could mass produce a consumer-friendly glitching device that could be sold for about $75,” Kraken said.
While this flaw could only be exploited if there is physical access to the device, Kraken noted that it could only be fixed by overhauling the underlying design of Trezor's products. This involves replacing core components, such as the microcontroller used in the Trezor wallets, to incorporate more secured parts as opposed to the general-purpose chip currently used.
“These chips are not designed to store secrets and our research emphasizes that vendors like Trezor and KeepKey should not solely rely on them to secure your cryptocurrency,” the blog explains.
The research arm of the leading crypto exchange found that the 1-9 digit PIN does not protect the users’ assets against an attacker with physical access as it could be brute-forced to unlock the device.
Kraken also advises users to activate their BIP39 Passphrase with the Trezor Client, an additional approach to securing the wallet. Although this passphrase is a bit clunky to use in practice, it is luckily not stored on the device; therefore it “is a protection that prevents this attack.”
Kraken researchers have discovered the vulnerability in October, but they informed the Trezor team first about their findings before disclosing the details today to the public. They added this attack is very similar to flews identified in the KeepKey wallet, which also allows hackers to bypass the protection put in place by the manufacturer and extract the contents of the microcontroller’s flash memory.
Trezor plays down the risks
A few hours after Kraken reported the vulnerability, Trezor’s response was to point out that users should ensure not to give access to the hardware wallet to keep their funds protected against attacks.
“It’s important to note that this attack is viable only if the Passphrase feature does not protect the device. A strong passphrase fully mitigates the possibilities of a successful attack,” they explained.
Trezor team added that they are aware of this voltage glitching in the STM32 microchip, which allows an attacker with specialized hardware knowledge to obtain the encrypted recovery seed from the device.
More interestingly, Trezor attempted to underplay the significance of the issue, saying that the main threat and concern for Bitcoin users were online and remote attacks, adding that any hardware is hackable.
“Even though only a small portion of cryptocurrency users are concerned about physical attacks (<6%), we treat physical vulnerabilities with the same urgency as any remote vulnerability,” Trezor concluded.