Kraken Security Labs has devised a way to extract seeds from both cryptocurrency hardware wallets offered from industry leader Trezor, the Trezor One and Trezor Model T.
The attack requires just 15 minutes of physical access to the device. This is the first time that the detailed steps for a current attack against these devices has been disclosed.
Here’s how they did it:
This attack relies on voltage glitching to extract an encrypted seed. This initial research required some know-how and several hundred dollars of equipment, but they estimate that they (or criminals) could mass produce a consumer-friendly glitching device that could be sold for about $75.
They then crack the encrypted seed, which is protected by a 1-9 digit PIN, but is trivial to brute force.
The attack takes advantage of inherent flaws within the microcontroller used in the Trezor wallets. This unfortunately means that it is difficult for the Trezor team to do anything about this vulnerability without a hardware redesign.
Until then, here is what you can do to protect yourself:
Do not allow anyone physical access to your Trezor wallet
You could permanently lose your crypto
Enable Your BIP39 Passphrase with the Trezor Client
This passphrase is a bit clunky to use in practice but is not stored on the device and therefore is a protection that prevents this attack.
This attack is very similar to our previous research against the KeepKey wallet, which is expected because the KeepKey is a derivative and all devices rely on the same family of chips. Trezor has known about these flaws since designing the wallets.
Other teams, like Ledger Donjon, have also performed variants of this attack, though the full details have not been made public until now.
These chips are not designed to store secrets and our research emphasizes that vendors like Trezor and KeepKey should not solely rely on them to secure your cryptocurrency.
We are fortunate to be working with the Trezor team to coordinate this disclosure and you should also review their response. Pavol Rusnak, CTO of SatoshiLabs, adds “We are happy that Kraken Security Labs are investing their resources in improving the security of the whole Bitcoin ecosystem. We cherish this kind of responsible disclosure and cooperation.”
At Kraken Security Labs, we try to discover attacks against the crypto community before the bad guys do. We responsibly disclosed the full details of this attack to the Trezor team on October 30, 2019. We are going public with this vulnerability disclosure now so that the crypto community can protect themselves before a fix is released by the Trezor team.