A group of security specialists have discovered that several popular cryptocurrency hardware wallets are vulnerable to compromise. The wallets have inherent weaknesses that could allow them to be attacked. The specialists have published their findings, but the manufacturers insist that there are no issues with the wallets.
The vulnerabilities, which could allow side-channel, supply-chain, microcontroller or firmware attacks, were identified by three researchers— Thomas Roth, Josh Datko and Dmitry Nedospasov. The researchers have designated the weaknesses as “wallet.fail” and assert that they are found in a number of hardware wallets, including the Trezor One, the Ledger Blue and the Ledger Nano S.
The trio demonstrated a proof of concept attack at the 35c3 conference held last month in Leipzig, Germany. They showed that the attacks can target firmware, software or hardware, as well as physical and architectural design flaws. According to the researchers, some vulnerabilities can only be countered by changing hardware or microcontrollers.
By installing a hardware implant that was combined with spyware into a device, the researchers will able to steal the PIN of the wallets. They were also able to load custom firmware, allowing them to create malicious transactions to send digital assets and to display fake transactions. Additionally, the researchers were able to steal PINs by intercepting radio signals and then flashing a separate device with special firmware that allowed them to gain access to the wallet’s private keys.
As is to be expected, the manufacturers have scoffed at the testing procedures used by the researchers, asserting that they weren’t very scientific. For its part, Ledger stated, “They did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure. Don’t worry, your crypto assets are still secure on your Ledger device.”
Whether or not the testing was scientific, any possibility of a wallet being compromised should be seen as a threat and needs to be addressed appropriately. As with any device used to protect financial resources, hardware and software crypto wallets need to be tightly secured and users must ensure that they take all possible precautions to ensure that the wallets cannot fall into the wrong hands.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.