Kraken hacks Trezor Wallet in 15 minutes - security vulnerability was already known

in #english5 years ago (edited)




Successful laboratory test

Kraken Labs has managed to hack two hardware wallets from Trezor. To get access to the seed, physical access is necessary. Additionally, equipment was needed to disassemble the hardware and access it.

But once you have invested in the necessary materials, theoretically every further hack is no longer costly. All that is needed is a Trezor Wallet Model T or the Trezor One and some time.

In a model experiment presented in a video, the seed can be extracted from the hardware in only 15 minutes.

A glitch makes it possible

A glitch in the power supply of an affected chip can be used to obtain the encrypted seed as a data record. It takes only a very short time, to break the encryption.

A simple "Brute Force" attack is sufficient to get the seed in plain text. With the described method, the computer calculates all possible password combinations and simply tries them out until the right combination is found.

This allows the devices to be attacked not only quickly, but also with very simple means.

The gap described by Kraken has probably been known for a long time, but the vulnerability has not been so drastically demonstrated. Basically there is no way to fix the bug by a patch.

The problem exists on the hardware side, so Trezor would have to ship redesigned devices to finally fix the problem. However, users of the mentioned Trezor models are not completely stuck.

If they protect their wallet with a strong password (passphrase), the problem does not exist, according to Trezor. However, this is optional and therefore it can be assumed that not all users have actively taken care of it.


Picture License



Posted from Crypto Mastermind Go to the original article
Sort:  

What is the difference between "Password" and "Passphrase" weithin this context?

Posted using Partiko Android

Hey Felix, a seed for a trezor and ledger has 24 word seed you write down. In total the seed is 25 words long and the 25th is a standard word that you can edit to any word you want. So for example your 25th word is "car" then if someone hacks or finds your seed he has 24 words but you changed the 25th standard word to "car", so he is unable to access your trezor/ledger.

So if you wanna keep you trezor / ledger safe its recommended to change the 25th word and set a own passphrase. A password would be the pin you set on your trezor or ledger and as you can see on the trezor they can just hack it with brute forcing until they find the right pin.

An interesting thing is with passphrases you can change the 25th word to anything you want and everytime you set a different passphrase you create a totaly new trezor / ledger. So for example you can have your 24 word seed but then have 2 different passphrases as 25th word so you have basically 1 seed but 2 trezors / ledgers.

If thats too complicated for you to look up just get a ledger because since ledger uses the same hardware chips as banks use, its by now still unhackable (until someone proves it wrong ;) ). We always recommend using passphrases but if you forget the last word but have the seed you still wont be able to access your device. So be careful :)

change the 25th word and set a own passphrase. got it, thx for the info