The cybersecurity division of major US cryptocurrency exchange Kraken has publicly disclosed a critical hardware flaw in both flagship products of Trezor—Trezor One and Trezor Model T.
🚨It took Kraken Security Labs just 15 minutes to hack both of @trezor’s crypto hardware wallets.
Here’s how we did it and what it means if you’re a user: https://t.co/5betNtDnD0
— Kraken Exchange (@krakenfx) January 31, 2020
According to the blog post, it took Kraken Security Labs "just 15 minutes to hack both of [Trezor's] crypto hardware wallets." Yet, the described method requires around 15 minutes of "physical access" to the device—including opening its case—and some specialized equipment, so it can't really be called "easy."
Kraken said that it used voltage glitching to extract the encrypted seed—a set of words used to control some Bitcoin—from each of the devices. Once the seed was extracted, it brute forced the encryption, which was trivially easy to do, the report notes.
The attack itself takes advantage of "inherent flaws within the microcontroller used in the Trezor wallets." Kraken suggested that Trezor's team will have a hard time fixing this vulnerability "without a hardware redesign."
Kraken spend several hundreds dollars of equipment to carry out the hack but figured such a device—designed for voltage glitching—could be sold for just $75 if mass produced.
It's worth mentioning that Kraken's experts have already contacted Trezor about this vulnerability. Pavol Rusnak, CTO of Trezor developer SatoshiLabs, reportedly added that “We are happy that Kraken Security Labs are investing their resources in improving the security of the whole Bitcoin ecosystem. We cherish this kind of responsible disclosure and cooperation.”
In its turn, Kraken Security Labs claims to "try to discover attacks against the crypto community before the bad guys do" and having "responsibly disclosed the full details of this attack to the Trezor team on October 30, 2019." The reason to go public with this vulnerability is cited as "so that the crypto community can protect themselves before a fix is released by the Trezor team."
Trezor fights back
Trezor responded to the post, arguing that device holders should use strong passphrases to keep their devices secure.
"Over the six years of existence of SatoshiLabs, we have dedicated a majority of our resources into mitigating remote attacks, and we have designed devices that are fully resistant to all online threats," Trezor wrote, in a blog post, adding, "We always knew that all hardware is hackable and the question about physical attacks is not if they will happen, but when they will happen."
Perhaps it's time to double check that passphrase.