The Kraken Exchange, though relatively quiet in the mass media section, is still going, and going strong. One of its offshoots is the Kraken Labs, a firm dedicated to cybersecurity within the crypto industry. Quite recently, they’ve gone public with a popular hardware wallet’s exploit that can be cracked in 15 minutes if you know what you’re doing.
Earlier today Kraken Security Labs reported a *responsible disclosure* of a vulnerability in both of @Trezor’s #crypto hardware wallets.
You can read the TREZOR team’s full response here: https://t.co/YumGfLj50d
— Kraken Exchange (@krakenfx) January 31, 2020
Hardware Fault In Model T And One
The exploit works with both the Trezor Model T and the Trezor One, and the vulnerability forces the wallet to expose its encrypted seed phrase stored on the device. With only a PIN protecting it, it can be brute-forced into revealing the seed phrase and make you capable of moving the funds inside the wallet with ease.
The hack itself gets explained in greater detail by way of Kraken Security Labs’ blog post. The hack itself exploits a very well known flaw within the Trezor wallet’s hardware. Due to where the vulnerability is based in, it makes it difficult to quickly address, unless Trezor completely redesigns and redistributes its wallets.
Hacked For As Little As $75
The blog post goes into detail about how the researchers used their specialist knowledge and equipment that was deemed “Several hundred dollars” worth to crack the device. What should be noted, though, should someone try to mass-produce the needed hardware, the overall cost of the equipment stands at about $75.
Trezor itself had to respond to the attack itself, as well and did so publically. The company officially acknowledged the risks that the attack poses it, dubbing it the Read Protection Downgrade Attack.
Crowd Control
As Trezor’s post explains, the attacker needs to gain access to the device itself, as well as create a specialized device capable of sending timed voltage glitches. Once this causes the system to malfunction, the attacker is capable of brute-forcing a 9-digit code that serves as a security measure.
Both Trezor and Kraken use this as grounds to encourage the usage of optional passphrases to protect a user’s holdings further. No matter how good a hacker is, if it’s locked behind a robust password and there’s no way around it, there’s nothing a hacker can do. Luckily, there’s no exploit to be made at the passphrase side of Trezor’s system, as well. However, until this matter is resolved, it should be considered the only security measure you have, should you own a Trezor wallet.
