Unciphered, a company of cybersecurity professionals who recover lost digital currency, reveals it found a way to physically hack into the Trezor T hardware wallet. Trezor reveals it acknowledged a similar-sounding attack vector several years ago.
A company of cybersecurity professionals who specialize in recovering lost or stolen digital currency say they have found a way to hack into our trending Trezor T hardware wallet once it’s in their physical possession.
Unciphered informed CoinDesk in an extensive series of conversations and over email it made use of an “unpatchable hardware vulnerability with the STM32 chip that allows us to dump the embedded flash and one-time programmable (OTP) data.”
That’s all pretty technical, but the team did perform a laboratory demonstration – and documented it in a video – that it was able to hack into a Trezor T wallet supplied by CoinDesk and successfully retrieve our seed phrase and pin. Unciphered has previously hacked the EthereumWallet and recovered locked up cryptocurrency, though they claim on their website that they “do support every wallet in the market.”
Trezor informed CoinDesk that its team didn’t have enough details about the specific attack Unciphered performed to respond fully, but pointed out that it looked like an “RDP downgrade attack,” which was publicly flagged as a danger 3 years ago.
A press representative for the hardware wallet maker stated they were unaware of any attempts by Unciphered to reach out directly, despite the fact that, “as communicated on our blog in early 2020, RDP downgrade attacks require physical theft of a device and incredibly sophisticated technological knowledge and advanced equipment.”
Trezor also mentioned that “even with the over, Trezors can be protected by a strong passphrase, which adds another layer of safety that renders a RDP downgrade useless.”
Hardware wallets are suddenly in focus because of the past few public backlash against the rival maker Ledger over its proposed optional “ recovery option,” which infuriated some users who had understood the device to be fully isolated. Numerous longtime cryptocurrency security specialists have recommended hardware wallets as a safer place to store assets than keeping them on exchanges – especially after last year’s collapse of Sam Bankman-Fried’s FTX Trading Ltd exchange – but the latest revelations show that the devices aren’t foolproof either.
Unciphered stated it wouldn’t confirm or deny whether its hack of the Trezor T would be considered an RDP downgrade, citing “current engagements and non-disclosure agreements” that restrict elaboration on “how this exploit chain works at this time.”
“Further, any technical disclosure would put Satoshilabs customers at potential danger till mitigations such as a new chip is utilized other than the STM32 in current use,” reports by Unciphered.
Unciphered noted that, despite the fact that Trezor is aware that the Trezor T model has a vulnerability in its STM32 chip, the company has not done anything to resolve that since the preliminary attempt to publicize the risk.
“The fact remains that through this post they are attempting to put the responsibility of securing their device on the customer rather than taking the responsibility of admitting that their device is fundamentally insecure,” Unciphered wrote in an email to CoinDesk.
Reports by Trezor: “Contrary to Unciphered’s states, Trezor has already taken whole lot of steps to fix this with the development of the world’s 1st auditable and transparent secure element through sister company Tropic Square.”
Alternative options to hardware wallets
It bears emphasizing that Unciphered’s vector of attack only works with the device in the hacker’s physical possession.
“Security is the fact that the threat can often be coming from inside the house,” stated Nick Federoff, head of marketing at Unciphered. “We can be our own worst enemy. So this is a huge part of it.”
And once a user sets up a hardware wallet, the wallet generates a random set of 12 or 24 words, known as a seed phrase, that allows access to the assets on the wallet.
As part of Unciphered’s attempt to demonstrate its capability, company officials requested CoinDesk to acquire a new Trezor T wallet, set it up with our own seed phrase and write that down somewhere safe. We then sent it via a secure mailing option to Unciphered’s lab, where they then went ahead to hack into it (recording some of the steps on a video) and in the end were able to retrieve our seed phrase and pin. The extra step of involving CoinDesk was suggested by the Unciphered team as a way of supplying assurance that the process wasn’t faked or that the device wasn’t compromised by a previous owner.
The device retails for $219 on the company’s website.
Unciphered acknowledged that it had not contacted Trezor to notify them about the vulnerability prior to trying to publicize it via an post on CoinDesk; often, such “white hat” attackers will work more cooperatively. “Unciphered has not contacted Trezor whether through our responsible disclosure program or otherwise,” stated a press representative at Trezor.
Unciphered informed CoinDesk that they had not contacted Trezor because “our obligations are to consumers instead of vendors, who have vested interests in selling more products, regardless of how vulnerable those products make the customers who use them.”