The team at Kraken officially reveals that the Trezor hardware wallets and their derivatives can be hacked in order to extract the private keys. Even though this procedure is quite involving, the exchange claims that it “requires just 15 minutes of physical access to the device.”
The attack will require a physical intervention on the Trezor wallet by either extracting the chip and placing it on a special device or linking a couple of critical connectors. The Trezor chip, as Kraken Security Labs said, must be then connected to a “glitcher device” which would send it signals at specific moments.
If you read a Trezor wallet review in our blockchain news, you probably know that this scenario breaks the built-in protection which prevents the chip’s memory from being read by external devices. The trick also allows the attacker to read critical wallet parameters such as the private key seed.
Even though the seed is encrypted with a PIN-generated key, Kraken reveals that researchers were able to brute force the combination in only two minutes. As the team said, the vulnerability is caused by the specific hardware used by Trezor, which means that the company cannot easily fix it. It would need to redesign the Trezor wallet supported coins and recall all existing models.
In the meantime, Kraken urged Trezor and KeepKey users to disallow anyone to physically access the wallet. There has been a coordinated response published by Trezor, where the team minimized the impact of the vulnerability. The company also argued that the attack would show signs of tampering because of the need of opening the device.
Finally, the team at Trezor wallet suggested that users activate the wallet’s passphrase feature to protect them from such attacks. As the team at Kraken reveals in the altcoin news, this is a viable alternative even though its research labeled it as “a bit clunky to use in practice.”
What is also very important is that the feature adds significant responsibility to each user and the passphrase needs to be complex enough to not be easily brute forced as well. Forgetting it would completely lock users out of their money.
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]