Trezor Wallets Can Be Hacked, Kraken Reveals

Published at: Jan. 31, 2020

Kraken Security Labs revealed on Jan 31. that Trezor hardware wallets and their derivatives can be hacked to extract private keys. Though the procedure is quite involved, Kraken claims that it “requires just 15 minutes of physical access to the device.”

The attack requires a physical intervention on the Trezor wallet by either extracting its chip and placing it on a special device or soldering a couple of critical connectors.

The Trezor chip must then be connected to a “glitcher device” that would send it signals at specific moments. These break the built-in protection that prevents the chip’s memory from being read by external devices. 

The trick allows the attacker to read critical wallet parameters, including the private key seed.

Though the seed is encrypted with a PIN-generated key, the researchers were able to brute force the combination in just two minutes. 

The vulnerability is caused by the specific hardware used by Trezor, meaning that the company cannot easily fix it. It would need to completely redesign the wallet and recall all existing models.

In the meantime, Kraken urged Trezor and KeepKey users to not allow anyone to physically access the wallet.

In a coordinated response published by Trezor, the team minimized the impact of the vulnerability. The company argued that the attack would show visible signs of tampering due to the need to open the device, while also noting that the attack requires extremely specialized hardware to perform.

Finally, the team suggested users activate the wallet’s passphrase feature to protect from such attacks. The password is never stored on the device as it is added to the seed to generate the private key on the fly. Kraken also noted that this is a viable alternative, though researchers referred to it as “a bit clunky to use in practice.”

The feature also adds significant responsibility to each user. The passphrase needs to be complex enough to not be easily brute forced as well, and forgetting it would completely lock users out of their money.

Cointelegraph reached out to Kraken for additional details, but had not received a response as of press time. The article will be updated as more information becomes available.

Tags
Related Posts
Trezor Responds to Ledger Report on Vulnerabilities in Its Hardware Wallets
Prague-based crypto wallet manufacturer Trezor has responded to а report about hardware vulnerabilities from its competitor Ledger on Tuesday, March 12. Trezor claims that none of the weaknesses revealed by Ledger in a detailed report on March 10, are critical for hardware wallets. As per Trezor, none of them can be exploited remotely, as the attacks described require “physical access to the device, specialized equipment, time, and technical expertise.” Trezor further cites the results of a recent security survey performed in partnership with major cryptocurrency exchange Binance. According to the survey, only around 6 percent of respondents believe that physical …
Blockchain / March 12, 2019
Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets
Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11. As of press time, Trezor was not immediately available to comment on Ledger’s findings. The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended. The first issue is related to …
Blockchain / March 11, 2019
Trezor investigates potential data breach as users cite phishing attacks
Cryptocurrency hardware wallet provider Trezor has begun investigating a possible data breach that may have compromised users’ email addresses and other personal information. Earlier today, on Apr. 3, several users from the Crypto Twitter community warned about an ongoing email phishing campaign specifically targeting Trezor users via their registered email addresses. Hey trezor, are you aware of a phishing campaign going on? I just received this email with my actual email on it. It looked very legit. pic.twitter.com/GF0Od6llr2 — josearkaos ⚡️ (@josearkanos) April 3, 2022 In the ongoing attack, several Trezor users have been contacted by unauthorized actors posing as …
Blockchain / April 3, 2022
What happens if you lose or break your hardware crypto wallet?
Hardware cryptocurrency wallets are known for granting users full control of their crypto and providing more security, but such wallets are prone to risks such as theft, destruction or loss. Does that mean that all your Bitcoin (BTC) is lost forever if your hardware wallet is lost, burned or stolen? Not at all. There are a number of options to restore cryptocurrency for someone who has lost access to their hardware wallet. The only requirement to recover crypto assets, in that case, would be maintaining access to the private keys. A private key is a cryptographic string of letters and …
Blockchain / June 14, 2022
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet
An NFT influencer claims to have lost “a life-changing amount” of their net worth in nonfungible tokens (NFTs) and crypto after accidentally downloading malicious software found in a Google Ad search result. The pseudo-anonymous influencer known on Twitter as “NFT God” posted a series of tweets on Jan. 14 describing how his “entire digital livelihood” came under attack including a compromise of his crypto wallet and multiple online accounts. Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing …
Blockchain / Jan. 16, 2023