February 7, 2020 – 15 minutes was all the time it took for Kraken Security Labs to hack the Trezor cryptocurrency wallet. The flaw is ingrained to the hardware wallet itself so it cannot be fixed. However, Kraken and Trezor recommended some tips to make sure the hack will never happen.
In a blog post, Kraken Security Labs, the research firm of Kraken crypto exchange said they were able to exploit a “voltage glitching” on the Trezor One and Trezor Model T Wallets, allowing them to extract “encrypted seeds”, which means they got access to what was supposed to be a very secure hardware. They’ve done this while only having physical access to the hardware for just 15 minutes.
Kraken first publicly announced the security flaw in October 2019, but Trezor was also made aware of the vulnerability beforehand. This vulnerability persists because it is inherent to microcontroller inside Trezor wallets. “The only fix is to put out a new device,” said Kraken Chief Security Officer Nick Percoco.
- Read More: Cryptocurrency Wallets in the Philippines
In a tweet, Trezor responded and said that it is not possible for an attack to happen remotely to the hardware. The attacker must have physical access to the device for them to be able to do it. Additionally, it will not work if users turned on their BIP 39 passphrase.
Physical access is a threat to 6-9% of people, according to our research. If a physical access is a part of someone's threat model, we advice to use a Passphrase feature. But again, physical access is not a widespread case.
— Trezor (@Trezor) January 31, 2020
Some, including Percoco are saying the Passphrase feature must not be optional. Of course, the other is that only the owner of the Trezor should have access to the device.
This article is published on BitPinas: Kraken Finds Trezor Hardware Wallet Vulnerability
BitPinas is an independent blockchain and cryptocurrency news site covering the crypto and blockchain news and developments in the Philippines. We aim to be the website where you can find all information on blockchain and crypto in the Philippines. We are read by investors and enthusiasts alike, including crypto/blockchain company founders and government personnel. Contact email@example.com for more information, consulting advice, and partnerships. Follow us on Facebook and Twitter.
Contact and Subscribe to BitPinas:
- Subscribe to our newsletter delivered every Monday, Friday, or when there’s breaking news you need to read on your email.
- Join BitPinas on Telegram
- Follow on Facebook and Twitter for the latest news and updates
- Disclaimer: All articles on BitPinas must be treated as not an investment advice. Readers are encouraged to do their own research. This website is not responsible for any loss incurred by the reader, nor will it take credit for their gains.
- For news tips, partnership discussions, or press release submissions, please send to firstname.lastname@example.org