Unciphered, a company of cybersecurity professionals who recover lost digitalย currency, reveals it found a way to physically hack into the Trezor T hardware wallet. Trezor reveals it acknowledged a similar-sounding attack vector severalย years ago.
A company of cybersecurity professionals who specialize in recovering lost or stolen digitalย currency say they have found a way to hack into ourย trending Trezor T hardware wallet once itโs in their physical possession.
Unciphered informed CoinDesk in an extensive series of conversations and over email it made use of an โunpatchable hardware vulnerability with the STM32 chip that allows us to dump the embedded flash and one-time programmable (OTP) data.โ
Thatโs all pretty technical, but the team did perform a laboratory demonstration โ and documented it in a video โ that it was able to hack into a Trezor T wallet supplied by CoinDesk and successfully retrieve our seed phrase and pin. Unciphered has previously hacked the EthereumWallet and recovered locked up cryptocurrency, though they claim on their website that they โdo support every wallet in the market.โ
Trezor informed CoinDesk that its team didnโt have enough details about the specific attack Unciphered performed to respond fully, but pointedย outย that it looked like an โRDP downgrade attack,โ which was publicly flagged as a danger 3 years ago.
A press representative for the hardware wallet maker stated they were unaware of any attempts by Unciphered to reach out directly, despiteย theย factย that, โas communicated on our blog in early 2020, RDP downgrade attacks require physical theft of a device and incredibly sophisticated technological knowledge and advanced equipment.โ
Trezor alsoย mentionedย that โeven with the over, Trezors can be protected by a strong passphrase, which adds another layer ofย safety that renders a RDP downgrade useless.โ
Hardware wallets are suddenly in focus becauseย ofย theย pastย few public backlash against the rival maker Ledger over its proposed optional โ recovery option,โ which infuriated some users who had understood the device to be fully isolated. Numerous longtime cryptocurrency security specialists have recommended hardware wallets as a safer place to store assets than keeping them on exchanges โ especially after last yearโs collapse of Sam Bankman-Friedโs FTXย Tradingย Ltd exchange โ but the latest revelations show that the devices arenโt foolproof either.
Unciphered stated it wouldnโt confirm or deny whether its hack of the Trezor T would be considered an RDP downgrade, citing โcurrent engagements and non-disclosure agreementsโ that restrict elaboration on โhow this exploit chain works at this time.โ
โFurther, any technical disclosure would put Satoshilabs customers at potential danger till mitigations such as a new chip is utilized other than the STM32 in current use,โ reportsย by Unciphered.
Unciphered notedย that, despiteย theย factย that Trezor is aware that the Trezor T model has a vulnerability in its STM32 chip, the company has not done anything toย resolve that since theย preliminary attemptย to publicize the risk.
โThe fact remains that through thisย post they are attemptingย to put the responsibility of securing their device on the customer rather than taking the responsibility of admitting that their device is fundamentally insecure,โ Unciphered wrote in an email to CoinDesk.
Reportsย by Trezor: โContrary to Uncipheredโs states, Trezor has already taken wholeย lotย of steps toย fix this with the development of theย worldโs 1st auditable and transparent secure elementย through sister company Tropic Square.โ
Alternative options to hardware wallets
It bears emphasizing that Uncipheredโs vector of attack only works with the device in the hackerโs physical possession.
โSecurity isย theย factย that the threat can often be coming from inside the house,โ stated Nick Federoff, head of marketing at Unciphered. โWe can be our own worst enemy. So this is a huge part of it.โ
Andย once a user sets up a hardware wallet, the wallet generates a random set of 12 or 24 words, known as a seed phrase, that allows access to the assets on the wallet.
As part of Uncipheredโs attemptย to demonstrate its capability, company officials requested CoinDesk to acquire a new Trezor T wallet, set it up with our own seed phrase and write that down somewhere safe. We then sent it via a secure mailing option to Uncipheredโs lab, where they then wentย ahead to hack into it (recording some of the steps on a video) and inย theย end were able to retrieve our seed phrase and pin. The extra step of involving CoinDesk was suggested by the Unciphered team as a way of supplying assurance that theย process wasnโt faked or that the device wasnโt compromised by a previous owner.
The device retails for $219 on the companyโs website.
Unciphered acknowledged that it had not contacted Trezor to notify them about the vulnerability prior to tryingย to publicize it via an post on CoinDesk; often, such โwhite hatโ attackers will work more cooperatively. โUnciphered has not contacted Trezor whether through our responsible disclosure program or otherwise,โ stated a press representative at Trezor.
Unciphered informed CoinDesk that they had not contacted Trezor because โour obligations are to consumers instead of vendors, who have vested interests in selling more products, regardlessย of how vulnerable those products make the customers who use them.โ
Bradley Keoun.
