The security unit of the leading San Francisco-based cryptocurrency exchange, Kraken said on Friday it has identified a critical vulnerability in two hardware wallets from Trezor – the Trezor One and Trezor Model T.
According to the announcement, Kraken Security Labs devised a strategy which enabled them to extract seeds from both wallets within 15 minutes of physical access to the device.
While explaining the process, the exchange’s security unit said they were able to extract the encrypted seed using the attack, which it says, relies on voltage glitching. Through this, they cracked the encrypted seed.
Although a 1-9 digit PIN normally secures the encrypted seed, it was trivial to brute force, according to Kraken Security Labs. Also, the attack took advantage of inherent flaws in the microcontroller used in both wallets, thereby making it difficult for the Trezor team to resolve unless it redesigns the hardware.
This initial research required some know-how and several hundred dollars of equipment, but we estimate that we (or criminals) could mass-produce a consumer-friendly glitching device that could be sold for about $75.
Although this is the first “detailed steps for a current attack against these devices,” the report today by the exchange is probably not for wrongdoings, however, to protect and shade users from future hacks which could result in loss of lifetime earnings.
Here’s How to Stay Safe
Until the Trezor team is able to redesign the hardware, Kraken urged users not to allow anyone physical access to their Trezor wallet, as they could end up losing their funds.
Also, Trezor wallet users are advised to enable a BIP39 passphrase, although it can be clunky to use. However, it can prevent such an attack, given that it is not stored on the device.
Trezor has responded to the development, stating that users are immune to the attack if they can enable a passphrase feature on the wallets.