Kraken Security Labs today disclosed a glaring flaw in the wallets, Trezor One and Trezor Model T, which allows attackers to steal the data stored within the devices.
What is worse, cybersecurity researchers claim that the physical theft of encrypted seed can happen within 15 minutes of gaining access to the crypto wallet. They added that their planned attack required some know-how and equipment worth a few hundred dollars.
“We estimate that we (or criminals) could mass produce a consumer-friendly glitching device that could be sold for about $75,” Kraken said.
While this flaw could be only exploited if there is physical access to the device, noted that it can only be fixed by overhauling the underlying design of Trezor’s products. This involves replacing core components, such as the microcontroller used in the to incorporate more secured parts as opposed to the general purpose chip currently used.
“These chips are not designed to store secrets and our research emphasizes that vendors like Trezor and KeepKey should not solely rely on them to secure your cryptocurrency,” the blog explains.
The research arm of the leading found that the 1-9 digit PIN does not protect the users’ assets against an attacker with physical access as it could be brute-forced to unlock the device.
Kraken also advises users to activate their BIP39 Passphrase with the Trezor Client, an additional approach to securing the wallet. Although this passphrase is a bit clunky to use in practice, but is luckily not stored on the device, therefore “is a protection that prevents this attack.”
Kraken researchers have discovered the vulnerability in October, but they informed Trezor team first about their findings before disclosing the details today to the public. They added this attack is very similar to flews identified in the , which also allow hackers to bypass the protection put in place by the manufacturer and extract the contents of the microcontroller’s flash memory.
Trezor plays down the risks
A few hours after Kraken reported the vulnerability, Trezor’s response was to point out that users should ensure not to give access to the to keep their funds protected against attacks.
“It’s important to note that this attack is viable only if the Passphrase feature does not protect the device. A strong passphrase fully mitigates the possibilities of a successful attack,” they explained.
Trezor team added that they are aware of this voltage glitching in the STM32 microchip which allows attacker with specialized hardware knowledge to obtain the encrypted recovery seed from the device.
More interestingly, Trezor attempted to underplay the significance of the issue saying that the main threat and concern for Bitcoin users were online and , adding that any hardware is hackable.
“Even though only a small portion of cryptocurrency users are concerned about physical attacks (<6%), we treat physical vulnerabilities with the same urgency as any remote vulnerability,” Trezor concluded.