Kraken Security Labs has revealed that Trezor hardware wallets and their derivatives can be hacked to extract private keys. Though the procedure is quite involved, Kraken claims that it “requires just 15 minutes of physical access to the device.”
The attack requires a physical intervention on the Trezor wallet by either extracting its chip and placing it on a special device or soldering a couple of critical connectors, Cointelegraph reported.
The Trezor chip must then be connected to a “glitcher device” that would send it signals at specific moments. These break the built-in protection that prevents the chip’s memory from being read by external devices.
The trick allows the attacker to read critical wallet parameters, including the private key seed.
Though the seed is encrypted with a PIN-generated key, the researchers were able to brute force the combination in just two minutes.
The vulnerability is caused by the specific hardware used by Trezor, meaning that the company cannot easily fix it. It would need to completely redesign the wallet and recall all existing models.
In the meantime, Kraken urged Trezor and KeepKey users to not allow anyone to physically access the wallet.
In a coordinated response published by Trezor, the team minimized the impact of the vulnerability. The company argued that the attack would show visible signs of tampering due to the need to open the device, while also noting that the attack requires extremely specialized hardware to perform.
Finally, the team suggested users activate the wallet’s passphrase feature to protect from such attacks. The password is never stored on the device as it is added to the seed to generate the private key on the fly. Kraken also noted that this is a viable alternative, though researchers referred to it as “a bit clunky to use in practice.”
The feature also adds significant responsibility to each user. The passphrase needs to be complex enough to not be easily brute forced as well, and forgetting it would completely lock users out of their money.
The security flaw was first discovered in October of 2019, The Daily Hodl reported. The team at Trezor has issued instructions on what consumers can do to protect their holdings: “It’s important to note that this attack is viable only if the passphrase feature does not protect the device. A strong passphrase fully mitigates the possibilities of a successful attack. If sophisticated physical attacks on your device are in your threat model, we recommend learning how to create and effectively use the passphrase protection to secure your accounts.”
You can check out Kraken Security Labs’ full technical breakdown on the critical flaw here.