Not so Unhackable; Hackers Find Vulnerability in Trezor Wallet
Hackers have recently shown that a new attack vector to hacking the Trezor wallet is now possible. A team of hackers has managed to find a new way to hack the Trezor wallet, as reported this Thursday, December 27, 2018, in a tweet from a crypto enthusiast.
Not so Safe
Trezor seemingly has a vulnerability that exposes users that don’t have a password protecting their coins on a Trezor Wallet device. This is not something new as Trezor, and other hardware wallets have fallen to attacks before. This was expected to happen sooner or later as these devices help a lot, but they are exploitable.
The issue was debated at the 35th Chaos Communication Congress where specialists gathered to discuss how most popular cryptocurrency hardware wallets can be hacked.
The Chaos Communication Congress uncovers architectural, physical, hardware, software and firmware vulnerabilities. It tries to establish a library of malicious attacks that can be found including issues that could allow a malicious attacker to gain access to the funds of a hardware wallet. The team investigation demonstrated systemic and recurring issues.
The attacks performed by the team against several hardware wallets ranged from breaking the proprietary bootloader protection to breaking the web interfaces used to interact with wallets, up to physical attacks including glitching to bypass the security implemented in the microcontrollers of the wallet. This ensures that companies address the issues found by building more resilient hardware wallets.
Hack a Hardware Wallet 101
Hardware wallets are extremely popular nowadays while the number of users storing their coins in these devices is increasing rapidly. It is safe to assume that these devices now save a significant percentage of the world’s cryptocurrency. ICOs, hedge funds, traders, and blockchain projects are using hardware wallets to store their cryptocurrency. Moreover, a lot of crypto traders interact, update, and generate transactions using their hardware wallets on a daily basis. This means that hardware wallets store tens of millions of dollars of cryptocurrency and might be subjected to attacks.
The presentation debated what the vulnerabilities found were and what would be the best course of action. What they saw is that these vulnerabilities have several levels of implication and might have to be fixed in a firmware upgrade, or will probably require a new hardware revision.
The attack was mainly centered on breaking the interfaces that allow the interaction with the wallet. To do this, Dmitry Nedospasov and Thomas Roth set up a socket along with an FPGA and a few other devices connected to the Trezor wallet to run code that would give them access to the seed and pin. However, the hack would only be possible if the wallet didn’t have a password.
Meanwhile, Pavol Rusnak, the Engineer in charge of Trezor replied to the community saying the issue was being investigated and a patch was on its way.
“We were not informed via our Responsible Disclosure program beforehand, so we learned about them from the stage. We need to take some time to fix these and we’ll be addressing them via a firmware update at the end of January.”
The issues triggered concerns within the community and mostly with the crypto enthusiasts using the Trezor device.
Rusnak further tweeted:
With regards to #35c3 findings about @Trezor: we were not informed via our Reponsible Disclosure program beforehands, so we learned about them from the stage. We need to take some time to fix these and we'll be addressing them via a firmware update at the end of January.
— Pavol Rusnak (@pavolrusnak) December 28, 2018
Anyone using a Trezor and is not using a passphrase or password should be using it right away. The password phrase is the safest feature as it is much more resistant to brute-force attacks.