Security researchers at Kraken, one of the largest cryptocurrency exchanges in the world, were able to access the private keys of the Trezor One and Trezor T hardware wallets. The vulnerability, however, can only be exploited by having the hardware in hand.
To exploit this bug, it was necessary to manipulate the voltage in the microcontroller. As it is necessary to be in possession of the physical device, the vulnerability is a little less effective but, according to the team, with the right equipment, it is possible to extract the seed from the wallet in just fifteen minutes. See the video of the process below:
While this is not the first vulnerability found on Trezor devices, fixing it will likely require a complete hardware overhaul.
"It is a flaw that is present in the hardware, and not something where they can just put an update and fix it for all their customers," Kraken security chief Nick Percoco told The Block. "To solve this problem, they would essentially need to launch a new device."
The Trezor team, however, is already aware of this problem and was quick to publish a response to Kraken's findings.
In a Trezor blog post, the company thanked Kraken but said users are safe from this problem if they use the optional passphare.
“It is important to note that this attack is only viable if the Passphrase feature is not active. A strong password completely mitigates the possibilities of a successful attack, ”published Trezor.
When exploiting the vulnerability, Kraken, in the last step, needed to carry out a brute force attack to breach the security of the PIN (four numbers from 1 to 9 that make the hardware secure). In addition to the PIN, which is mandatory, the user has the option of adding a second password layer (passphrase) with unlimited characters, which would make theft by this method almost impossible.
Buy Bitcoin at Coinext
Buy Bitcoin and other cryptocurrencies at the safest broker in Brazil. Register and see how simple it is, visit: https://coinext.com.br