Reports exposing potential security weaknesses in one major cryptocurrency wallet and one hardware chip used for storing cryptographic keys are a constant reminder of the challenge of storing private keys—used to control access to cryptocurrencies—safely.
According to researchers at Kraken Security Labs, an attack known as “voltage glitching” lets hackers extract encrypted seeds from the KeepKey hardware wallet—backed by crypto exchange ShapeShift—in just 15 minutes.
While the researchers claim that the method requires “specialized hardware and knowledge,” they explained that “a consumer-friendly glitching device could be created for about $75.”
Although encrypted seeds are usually protected by a 1-9 digit pin, the researchers said it’s “trivial to brute force.” They identified a number of flaws within the microcontroller of KeepKey.
In a blog post, the researchers said: “This unfortunately means that it is difficult for the KeepKey team to do anything about this vulnerability without a hardware redesign.”
Standalone hardware wallets are not the only place to store private keys. Electronic manufacturers, including Samsung and HTC, are bringing out phones that use physical hardware within the phones to store private keys. However, it turns out that there are potential risks for this kind of strategy.
In this case, weaknesses have been found with Intel’s SGX chip. It is specifically designed for storing sensitive information, including cryptographic keys—such as private keys. Blockchain consortium R3 has been working on integrating its private blockchain platform Corda with the Intel SGX chip since 2017.
However, a new research paper shows that a voltage attack, similar to the one described above, was able to bypass the security of the SGX chip, revealing any cryptographic keys it might be holding.
“In this paper, we present Plundervolt, a novel attack against Intel SGX to reliably corrupt enclave computations by abusing privileged dynamic-voltage-scaling interfaces,” a group of international researchers wrote, in a research paper.
Crypto exchanges are known for being light on security. If crypto wallets can’t fill the void then we’re truly lost for good.