The cybersecurity division of major US cryptocurrency exchange Kraken has publicly disclosed a critical hardware flaw in both flagship products of Trezor—Trezor One and Trezor Model T.

According to the blog post, it took Kraken Security Labs "just 15 minutes to hack both of [Trezor's] crypto hardware wallets." Yet, the described method requires around 15 minutes of "physical access" to the device—including opening its case—and some specialized equipment, so it can't really be called "easy."

Kraken said that it used voltage glitching to extract the encrypted seed—a set of words used to control some BitcoinBitcoin—from each of the devices. Once the seed was extracted, it brute forced the encryption, which was trivially easy to do, the report notes.

image: Decrypt

Trezor One Review: Can it still compete in 2020?

The Trezor Model One (or simply Trezor One), was the first cryptocurrency hardware wallet released by SatoshiLabs, and the first widely available commercial hardware wallet in general. Released in January 2014, the Trezor Model One gives users a way to securely store a wide variety of cryptocurrencieson a single device. Costing just $59 direct from Trezor, or slightly cheaper from official Amazon stockists, the Trezor Model One is a direct competitor to the popular Ledger Nano S. However, since...

ReviewsWallets
10 min read
Daniel Phillips

The attack itself takes advantage of "inherent flaws within the microcontroller used in the Trezor wallets." Kraken suggested that Trezor's team will have a hard time fixing this vulnerability "without a hardware redesign."

Kraken spend several hundreds dollars of equipment to carry out the hack but figured such a device—designed for voltage glitching—could be sold for just $75 if mass produced.

Bitcoin
BTC
+22.45%$106,930.32
24H7D1M1YMAX
Created with Highcharts 10.3.3Apr 22Apr 24Apr 26Apr 28Apr 30May 2May 4May 6May 8May 10May 12May 14May 16May 18May 20$85000$90000$95000$100000$105000$110000
Price data by
BTC price

It's worth mentioning that Kraken's experts have already contacted Trezor about this vulnerability. Pavol Rusnak, CTO of Trezor developer SatoshiLabs, reportedly added that “We are happy that Kraken Security Labs are investing their resources in improving the security of the whole Bitcoin ecosystem. We cherish this kind of responsible disclosure and cooperation.”

In its turn, Kraken Security Labs claims to "try to discover attacks against the crypto community before the bad guys do" and having "responsibly disclosed the full details of this attack to the Trezor team on October 30, 2019." The reason to go public with this vulnerability is cited as "so that the crypto community can protect themselves before a fix is released by the Trezor team."

Trezor fights back

Trezor responded to the post, arguing that device holders should use strong passphrases to keep their devices secure.

"Over the six years of existence of SatoshiLabs, we have dedicated a majority of our resources into mitigating remote attacks, and we have designed devices that are fully resistant to all online threats," Trezor wrote, in a blog post, adding, "We always knew that all hardware is hackable and the question about physical attacks is not if they will happen, but when they will happen."

Perhaps it's time to double check that passphrase.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.