Bitcoin hardware wallets are thought to be one of the most secure ways people can store their bitcoin and other cryptocurrencies—but they aren't perfect.
The bitcoin price is fast climbing towards $10,000, hitting fresh year-to-date highs of $9,900 over the last 24-hour trading period, and bitcoin buyers are keen to keep their bitcoin as safe as possible.
However, Kraken Security Labs, part of the San Francisco-based Kraken bitcoin and cryptocurrency exchange, has warned the widely-used Trezor bitcoin hardware wallets can be hacked to extract private keys—with attackers needing "just 15 minutes of physical access to the device" to break in.
Trezor users have been warned the flaw is inherent to the wallet hardware and cannot be fixed but bitcoin and crypto holdings can be protected if a passphrase that's not stored on the device is used.
"This passphrase is a bit clunky to use in practice but is not stored on the device and therefore is a protection that prevents this attack, researchers at Kraken Security Labs wrote in a blog post revealing the flaw, and adding, "Trezor has known about these flaws since designing the wallets."
PROMOTED
"This attack is very similar to our previous research against the KeepKey wallet, which is expected because the KeepKey is a derivative and all devices rely on the same family of chips."
In response, the Trezor team played down the seriousness of the flaw, arguing users are able to keep their bitcoin and crypto assets secure.
"It’s important to note that this attack is viable only if the passphrase feature does not protect the device," Trezor said. "A strong passphrase fully mitigates the possibilities of a successful attack."
To carry out the hack, attackers would need to either extract the hardware wallet's chip or attach connectors to the device.
A so-called glitcher device can then be used to break the built-in protection that prevents the chip’s memory from being read by external devices and allows the attacker to read the wallet's private key seed.
The seed's encryption can then be broken with brute force, with Kraken researchers managing it in just two minutes.
Комментарии
Отправить комментарий