In a blog post, Kraken Security Labs showed that hardware wallets from Trezor, together with derivatives, can be hacked in order to extract the user’s private keys. It is highlighted that the procedure is difficult but according to Kraken, the procedure “requires just 15 minutes of physical access to the device.”
In order to perform the attack, a physical intervention is needed. The hacker needs to extract the chip from the wallet and put it inside a special device. Alternatively, 2 critical connectors can be soldered. The goal is to connect the chip from Trezor to a special “glitcher device” that is capable of sending signals when necessary. The signals are capable of breaking the gadget’s built-in protection, the one that prevents the memory to be read through the use of external devices. Basically, critical wallet parameters can be read by the attacker. This does include private keys.
The seed of the Trezor hardware wallet is encrypted with the use of a unique PIN-generated key. Even so, researchers can brute force the correct combination in just around 2 minutes.
The Trezor wallet’s vulnerability appears to be caused by the hardware used by the company. Practically, this means that it is very difficult to fix the vulnerability. It is highly possible that Trezor will need to fully redesign their wallet, with a recall of all the current models being considered.
Kraken Security Labs urged KeepKey and Trezor users to make sure that nobody gains a physical access to their wallets.
Trezor did respond to the claim of Kraken and said that the vulnerability that was discovered has a minimal impact. The argument was that any attack shows signs of tampering that are visible because the device needs to be opened. Also, specialized hardware has to be utilized.
The team did suggest that users now activate the passphrase feature of the wallet in order to be protected from such an attack. Kraken did agree that the possibility to gain access to the funds on the device is low but not impossible.
Every single Trezor wallet user needs to be responsible. When using a passphrase, it needs to be really complex so that brute force cannot be used to crack it. Obviously, forgetting the password means users are completely locked out.
While news that the Trezor hardware wallet can be hacked is concerning for people in the industry, the possibility of having the account hacked is really low. This is because of the fact that the attacker needs to gain direct access to the wallet and then use specialized tools to crack everything.