NinjaLab, a team of security researchers, has discovered a vulnerability that went unnoticed for 14 years. It lies in the secure element hardware microcontrollers used by many cryptocurrency wallets. The vulnerability affects, for example, the new Trezor (safe 4 and safe 5) and the entire YubiKey 5 series with firmware version lower than 5.7. The EUCLEACK attack requires physical access to the hardware wallet. According to NinjaLab, this vulnerability went unnoticed for 14 years and around 80 Common Criteria certification assessments of the highest level. According to NinjaLab's research summary, the vulnerability affects all devices running the Infineon Technologies libraryone of the largest manufacturers of secure elements.
NinjaLab is a team of security experts. Source: https://ninjalab.io/eucleak/
What is the vulnerability found in wallets?
The discovery was made by Thomas Roche, co-founder of NinjaLab, who claims to have found a “side-channel vulnerability.” Having found it, he designed a side-channel attack (EUCLEACK) that demonstrates that It is possible to exploit the secure element microcontrollers carried by some cryptocurrency wallets. The feasibility of this physical attack was demonstrated by NinjaLab on a YubiKey 5Ci, a security key model that uses the FIDO protocol, which is usually composed of a secure element. In general, this lateral insecurity affects even microcontrollers of more recent design, like the ones in the Trezor Safe series. Therefore, it does not affect Nano or T models.
Finally, we show that the vulnerability extends to the latest Infineon Optiga Trust M and Infineon Optiga TPM security microcontrollers. NinjaLab, security experts.
NinjaLab emphasizes that they have not yet proven that the EUCLEAK attack applies to any of these products. That said, this lateral attack on microcontrollers is theoretically possible. Additionally, they warn that A physical attack of this style is difficult and resource intensive.. As a result, devices with this previously undiscovered vulnerability would remain secure.
The EUCLEAK attack requires physical access to the device, expensive equipment, custom software, and technical skills. Therefore, as far as the work presented here is concerned, it is still safer to use your YubiKey or other affected products as a FIDO hardware authentication token to log into applications rather than not using one. NinjaLab, security experts.
Are Trezor wallets safe?
The above is in line with Trezor's statement. The company assures that Users' recovery phrases for their wallets are not at risk. And that the vulnerability detected has nothing to do with the process of creating and protecting backup copies.
Trezor Safe Series. Source: https://x.com/Trezor Additionally, he clarified some technical details about the relationship between the vulnerability and the Trezor architecture:
In theory, the Optiga vulnerability could allow someone to bypass authenticity control, but the risk of this resulting in counterfeit Trezors being sold is mitigated by a number of other tools at our disposal in the supply chain. As long as you've purchased your Trezor from our official e-shop or one of our official resellers, you don't have to worry about this! Trezor, hardware wallet company
As NinjaLabs has stated, this vulnerability poses a limited risk to owners of secure element hardware wallets. That said, this development may serve as a reminder that even secure element chips can suffer from potentially dangerous vulnerabilities and design flaws. An attitude influenced by this discovery should incline towards caution and foresight with hardware wallets. Such an attitude would be in contrast to another unfortunately common tendency: that of granting an almost magical prestige to these chips, often marketed as unbreakable, invulnerable and indestructible.