Hardware Wallets Trezor And KeepKey Face Potential ‘Man-in-the-Middle’ Ransomware Attacks
- A new report shows that two of the world’s top crypto hardware wallets are in danger of facing a ransomware attack.
- Trezor and KeepKey hardware wallets face a potential man-in-the-middle attack that does not need the attacker to be in physical contact with the wallet.
- Trezor wallet manufacturer, SatoshiLabs, released a bug improvement update on Sept 2.
According to a Medium blog post by ShiftCrypto, a rival to the hardware wallet manufacturers, the older versions of Trezor and KeepKey face a possible remote ransomware attack when users are entering their passphrases on desktops and mobile phones. While no attack has yet been executed, the vulnerability on these wallets could see millions of crypto coins locked away by a malicious wallet/ man-in-the-middle.
These hardware wallets can only face a ransomware attack. To steal coins from them, you must be able to access the wallet physically. However, as the first-ever potential attack on a hardware wallet remotely, developers from SatoshiLabs (Trezor) and SpaceShift (KeepKey) are focused on fixing the bug.
The vulnerability arises from a passphrase word on both KeepKey and Trezor that is used to access the hardware wallet crypto coins. To key in the passphrase, users of the vulnerable wallets need to connect their hardware wallet device to a USB slot or corresponding app on their computer or mobile phone.
Here’s where the problem starts.
Once you connect the hardware wallet to your other device, you need to type out the passphrase on the latter to start managing your accounts. Once the passphrase is filled, no confirmation is required on the hardware device itself, which raises the problem.
Both Trezor and KeepKey did not offer verification of the passphrase on the wallet’s screen to confirm if it is the same as the typed out passphrase. This means that if a malicious attacker can compromise your computer or mobile, they could distort the passphrase information relayed between the wallets and the user – locking you out of your funds.
This is no way the users’ fault as they could not confirm that the passphrase filled in and the one registered on the hardware wallet were different. For the ransomware attack to be fully completed, the user needs to use their old passphrase, which opens up the wallet’s interface on your computer.
Each new address formed past this will be registered to the attacker’s passphrases, which allows them to be in control of the address. However, the attacker cannot access the funds within the wallet as they need the seed phrases locked in the hardware wallet – by physically obtaining the wallet.
While not in access with the funds, the attacker gains the power to ransom the crypto tokens in your hardware wallet in such a way that the user (of Trezor and KeepKey) cannot access the funds either.
The ShiftCrypto developer who broke the news of the vulnerability stated dev teams from both hardware wallets were notified of the possible ransomware attack back in April. Trezor announced its update release on Sept.2 making changes to its Trezor One v1.9.3 and Model T v2.3.3 to solve the bug. KeepKey, which uses similar code to Trezor, is yet to make changes on the vulnerability stating that they are “working on higher priority items first.”
BEG has yet to receive a response from the Trezor and KeepKey development teams.