February 7, 2020 – 15 minutes was all the time it took for Kraken Security Labs to hack the Trezor cryptocurrency wallet. The flaw is ingrained to the hardware wallet itself so it cannot be fixed. However, Kraken and Trezor recommended some tips to make sure the hack will never happen.
In a blog post, Kraken Security Labs, the research firm of Kraken crypto exchange said they were able to exploit a “voltage glitching” on the Trezor One and Trezor Model T Wallets, allowing them to extract “encrypted seeds”, which means they got access to what was supposed to be a very secure hardware. They’ve done this while only having physical access to the hardware for just 15 minutes.
Kraken first publicly announced the security flaw in October 2019, but Trezor was also made aware of the vulnerability beforehand. This vulnerability persists because it is inherent to microcontroller inside Trezor wallets. “The only fix is to put out a new device,” said Kraken Chief Security Officer Nick Percoco.
- Read More: Cryptocurrency Wallets in the Philippines
In a tweet, Trezor responded and said that it is not possible for an attack to happen remotely to the hardware. The attacker must have physical access to the device for them to be able to do it. Additionally, it will not work if users turned on their BIP 39 passphrase.
Physical access is a threat to 6-9% of people, according to our research. If a physical access is a part of someone's threat model, we advice to use a Passphrase feature. But again, physical access is not a widespread case.
— Trezor (@Trezor) January 31, 2020
Some, including Percoco are saying the Passphrase feature must not be optional. Of course, the other is that only the owner of the Trezor should have access to the device.
This article is published on BitPinas: Kraken Finds Trezor Hardware Wallet Vulnerability