- Kraken Security Labs had been able to extract seeds from both Trezor One and Trezor Model T
- Kraken discloses the vulnerability to Trezor in Oct. 2019 and as the hardware wallet team had found the fix, Kraken made the flaw public
In shocking news, cryptocurrency exchange Kraken’s Security Labs announced that they were able to find a “critical flaw” in Trezor hardware wallets.
Kraken Security Labs announced on Friday that they have devised a way to extract seeds from both crypto hardware wallets of Trezor One and Trezor Model T.
The attack relies on voltage glitching to extract an encrypted seed that required several hundred dollars of equipment but could be mass-produced at $75. This encrypted seed which is protected by a 1-9 digit PIN, was then cracked which is “trivia to brute force.”
The team reveals that the attack took advantage of inherent flaws within the microcontroller used in Trezor wallets, meaning it is difficult for the Trezor team to do anything about this vulnerability at least without a hardware redesign.
Fix released by the Trezor team
A couple of weeks back, Kraken co-founder and CEO Jesse Powell advised that people shouldn’t store their coins on any cryptocurrency exchange even on Kraken, rather they should use Ledger or Trezor.
And now the Kraken Security Labs has found a vulnerability that means even hardware wallets aren’t safe either.
But there is a solution. Do not allow anyone physical access to your Trezor wallet or you could permanently lose your crypto.
Well, Trezor has found the fix and released it because as Kraken states, they “disclosed the full details of this attack to the Trezor team on October 30, 2019.” It continued,
“We are going public with this vulnerability disclosure now so that the crypto community can protect themselves before a fix is released by the Trezor team.”
Do hardware wallets remain the best option?
The user must enable the BIP39 Passphrase with the Trezor Client because it is not stored on the device, this can prevent the attack.
Passphrase feature is an “exceptionally” secure layer of active protection against physical attacks, said Trezor in its response to the attack.
It is not stored anywhere on the device and is used only temporarily whenever you enter it. The passphrase is case sensitive and it belongs with recovery seed.
However, Crypto Twitter was aghast to hear the news but Trezor tried to calm everyone and clarified,
“Trezor is an open-source hardware wallet: we indeed don't use a secure element to let anyone verify our code, but that is also why the Passphrase feature exists – to fully mitigate the physical attacks, which are a case for 6-9% of people according to our research.”
While assuage any concerns of having such vulnerability itself, Trezor competitor Ledger stated, “Not to worry: we're not affected by this as we use a Secure Element.”
Ledger also emphasized that despite this, “Hardware wallets remain the best option for keeping your crypto safe.”