Kraken Security Labs discovered critical vulnerabilities on both Trezor One and Trezor Model T hardware wallets.
Kraken was able to crack Trezor’s security within 15 minutes of having physical access to the Trezor wallet. Although these vulnerabilities were discovered in October of 2019, Kraken duly notified Trezor of the security flaws discovered.
On January 31, 2020, Kraken made the vulnerabilities and methodology used to crack Trezor wallets public, however, the article notes that “[Kraken Labs] responsibly disclosed the full details of this attack to the Trezor team on October 30, 2019. We are going public with this vulnerability disclosure now so that the crypto community can protect themselves before a fix is released by the Trezor team.”
Trezor responded to the discoveries made by Kraken.
According to Trezor’s response, “The Read Protection Downgrade (RDP) involves the voltage glitching of the STM32 microchip, which allows the attacker with specialized hardware, knowledge, and physical access to bypass the protection put in place by the manufacturer and extract the contents of the microcontroller’s flash memory. This way, the attacker can obtain the encrypted recovery seed from the device.”
Trezor pointed out that “all hardware is hackable and the question about physical attacks is not if they will happen, but when they will happen. Even though only a small portion of cryptocurrency users are concerned about physical attacks (<6%), we treat physical vulnerabilities with the same urgency as any remote vulnerability.”
While it is concerning that the Hardware wallets have these vulnerabilities, there are things that you can do to make Hardware wallets safer.
Keep your hardware wallets in a safe place
As clarified in the response from Trezor, the RDP attack involves physical access to the hardware wallet. That means, part of protecting your crypto wealth is to keep your Trezor wallet in a safe place. Even when the wallets are stored in a secure place, it is prudent to keep them in water and fire proof. Bank safe deposit boxes or other safeguards might be best to keep them away from being physically accessible to unauthorized persons.
The other aspect we learned about this attack is that even with physical access to the Trezor wallet in itself doesn’t mean that hackers could get into your wallet by manipulating the voltage. If the Trezor wallet is protected by a strong pass phrase – then this threat doesn’t seem to create any vulnerabilities on Trezor Wallet. Trezor has published a guide on setting a strong pass phrase – you can read it here.
Trezor made it clear that “The passphrase itself is not stored anywhere in hardware, SatoshiLabs doesn’t possess a backup, and therefore cannot be exposed or in any way “hacked” by a third party. When it comes to the passphrase, the user is the most crucial part of the whole process as it’s up to you to decide how complex your passphrase will be, how will you store it, protect it, or whether you should use one at all.”
In our view, physical safety and passphrase protection are an integral part of keeping your crypto wealth safe.
Thank you for reading and sharing this article. We appreciate you.
Everything in this article is an opinion, not an advice of any kind. This material has been prepared for general informational purposes only and it is not intended to be relied upon as accounting, tax, investment, legal or other professional advice. Please consult with a professional for specific advice.
We do not endorse or guarantee the accuracy of the information and claims made.
All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.