Engineer hacks Trezor wallet, recovers $2M in 'lost' crypto

Published at: Jan. 26, 2022

A computer engineer and hardware hacker has revealed how he managed to crack a Trezor One hardware wallet containing more than $2 million in funds.

Joe Grand — who is based in Portland also known by his hacker alias “Kingpin" — uploaded a Youtube video explaining how he pulled off the ingenious hack.

After deciding to cash out an original investment of roughly $50,000 in Theta in 2018, Dan Reich, a NYC based entrepreneur, and his friend, realized that they had lost the security PIN to the Trezor One the tokens were stored on. After unsuccessfully trying to guess the security PIN 12 times, they decided to quit before the wallet automatically wiped itself after 16 incorrect guesses.

But with their investment growing to $2 million this year, they redoubled their efforts to access the funds. Without their wallet’s seed phrase or PIN the only way to retrieve the tokens was through hacking.

They reached out to Grand who spent 12 weeks of trial and error but eventually found a way to recover the lost PIN.

The key to this hack was that during a firmware update the Trezor One wallets temporarily move the PIN and key to RAM, only to later move them back to flash once the firmware is installed. Grand found that in the version of firmware installed on Reich’s wallet this information was not moved but copied to the RAM, which means that if the hack fails and RAM is erased the information about the PIN and key would still be stored in flash.

After using a fault injection attack — a technique that alters the voltage going to the chip — Grand was able to surpass the security the microcontrollers have to prevent hackers from reading RAM, and obtained the PIN needed to access the wallet and the funds. Grand explained:

“We are basically causing misbehavior on the silicon chip inside the device in order to defeat security. And what ended up happening is that I was sitting here watching the computer screen and saw that I was able to defeat the security, the private information, the recovery seed, and the pin that I was going after popped up on the screen."

According to a recent tweet from Trezor this vulnerability that allows it to read from the wallet’s RAM is an older one that has already been fixed for newer devices. But unless changes are made to the microcontroller fault injection attacks still can pose a risk.

Tags
Related Posts
It’s been 4 months & KeepKey’s hardware is still vulnerable to remote ransom attacks
A Shift Crypto employee successfully deployed a ransom attack on Trezor and KeepKey hardware wallets last May. While Trezor released a fix on September 2, KeepKey has yet to fix the issue. According to a blog post published on September 2, the vulnerability affected all cryptocurrencies on affected devices. The exploit, which was first spotted on April 15 by developers Shift Crypto, also affected KeepKey wallets — which were originally based on a fork of Trezor’s code and likely operate on similar foundations. When asked about the vulnerability, a KeepKey representative apparently commented that a fix had not yet been …
Technology / Sept. 3, 2020
Stolen Trezor, Ledger and KeepKey Databases Are a ‘Scam,’ Says SatoshiLabs
The hacker claiming to be selling user databases from top hardware wallet manufacturers Ledger, Trezor, and KeepKey appears to actually be peddling bunk, according to SatoshiLabs. On May 24, cybercrime monitoring blog Under the Breach reported that a hacker had begun advertising the customer databases of popular hardware wallet companies for sale. The data purportedly included the full names and physical addresses for over 80,000 user accounts. Under the Breach tweeted screenshots suggesting that the hacker obtained the databases by exploiting a vulnerability of popular e-commerce platform Shopify. “Don’t offer me low dolar, only big money allowed,” the hacker warns …
Blockchain / May 25, 2020
Trezor Responds to Ledger Report on Vulnerabilities in Its Hardware Wallets
Prague-based crypto wallet manufacturer Trezor has responded to а report about hardware vulnerabilities from its competitor Ledger on Tuesday, March 12. Trezor claims that none of the weaknesses revealed by Ledger in a detailed report on March 10, are critical for hardware wallets. As per Trezor, none of them can be exploited remotely, as the attacks described require “physical access to the device, specialized equipment, time, and technical expertise.” Trezor further cites the results of a recent security survey performed in partnership with major cryptocurrency exchange Binance. According to the survey, only around 6 percent of respondents believe that physical …
Blockchain / March 12, 2019
Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets
Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11. As of press time, Trezor was not immediately available to comment on Ledger’s findings. The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended. The first issue is related to …
Blockchain / March 11, 2019
Research Team Demonstrates Hard Wallets Vulnerabilities, Trezor Promises Firmware Update
Researchers have reportedly shown how they were able to hack the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. The demonstration of the hacks was published in a video on Dec. 27. The research team behind the dubbed “Wallet.fail” hacking project is made up of hardware designer and security researcher Dmitry Nedospasov, software developer Thomas Roth and security researcher and former submarine officer Josh Datko. During the conference, the researchers announced that they have been able to extract the private key out of a Trezor One hardware wallet after flashing — overwriting existing data …
Blockchain / Dec. 28, 2018