Researchers from “Wallet.fail” made a splash when they demonstrated successful hacks on the three most reputable cryptocurrency hardware wallets at the 35C3 Refreshing Memories Conference December 27th.
Safe or “cold” storage of cryptocurrency has proven a stubborn problem in the sector, and digital currencies are best stored offline in a hardware wallet device. These devices typically resemble a standard thumb-drive with an interface or touchscreen and can be accessed by connecting the device to a computer via accompanying device-management software.
A basic hardware wallet device retails for around $125 USD.
Crypto is regularly stolen from “hot wallets” (software wallets stored on Internet-connected devices) and from cryptocurrency exchanges, where large pools of private keys are often stored with online access in order to permit fast and voluminous trades.
Hardware wallets are hacked far less, but stories of bugs in or hacks on the devices nonetheless emerge every six months or so. Now security researcher and hardware designer Dmitry Nedospasov, software developer Thomas Roth and security researcher and former submarine officer Josh Datko, claim to have broken into the three top devices on the market, Cointelegraph reports:
- Trezor One: the Wallet.fail team says they were able to extract a private key from a Trezor wallet after “flashing” it (overwriting pre-established data) on devices where users hadn’t established a passphrase. (Always use a passphrase).
- Ledger Nano S: the team claims they were able to install firmware of their choice on the device and even use it to play a game of “Snake.”
According to a team member:
“We can send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves [via software,] or we can even go and show a different transaction [not the one that is actually being sent] on the screen.”
Ledger Blue: This model is the company’s most expensive and includes a color touch-screen.
That device reportedly uses strong radio waves to communicate across its motherboard, and when plugged in, the team says the waves can be intercepted (and snooped on) from several meters away.
“Wallet.fail” says they were able to use AI software transmitted via the cloud to catch the leaking radio signals and remotely read passwords entered into a Ledger Blue device.
Trezor representative Pavol Rusnak took to Twitter to say the company had been blindsided by the researchers, but said Trezor would be fixing the problem in a firmware update to be released in January:
With regards to #35c3 findings about @Trezor: we were not informed via our Reponsible Disclosure program beforehands, so we learned about them from the stage. We need to take some time to fix these and we'll be addressing them via a firmware update at the end of January.
— stick⚡Pavol Rusnak @ 35c3 (@pavolrusnak) December 28, 2018