The Kraken exchange has reported a new flaw in the KeepKey wallet, allowing a hacker with access to the device to uncover the private keys. The flaw is only capable of being exploited if there is physical access to the device, Kraken noted in a blog posting.
What is worse, Kraken claims the theft of private keys can happen within 15 minutes of gaining physical access to the device.
“The attack takes advantage of inherent flaws within the microcontroller that is used in the KeepKey,” explained the testers from Kraken.
The attack is a combination of zapping the electronics of KeepKey, or voltage glitching. The 9-digit pin is then brute-forced to unlock the device. The KeepKey producers say they are aware of this attack, hence the general advice is not to give access to the hardware wallet. The funds remain protected against remote attacks, which can steal private keys from some online devices.
Kraken also advises users to activate a BIP39 passphrase, an additional approach to securing the funds, as this passphrase is not stored on the device. KeepKey also recently released the new approach to securing the private keys with one more pass phrase:
https://twitter.com/cryptokeepkey/status/1204608269504929794
The researchers have discovered the vulnerability this September, but notified KeepKey first. Now, the potential attack is disclosed to the public.
Both LEDGER and TREZOR have discovered vulnerabilities if physical access is allowed. More recently, the idea to store BTC private keys on actual durable materials has surfaced. This also led to the scandal surrounding the Ballet wallet, essentially a paper wallet printed on metal.
The biggest problem with Ballet was the pre-fabricated private keys, which are generated ahead of time and potentially tainted or kept by a third party.
https://twitter.com/bitcoinization/status/1204409658171174912
Metal wallets of various types also appear as novelty items:
https://twitter.com/LynxCollection/status/1193604064199745536
However, when using those wallets to give BTC, the best approach for the receiver is to empty them to a wallet where no one else could have viewed the private keys.
