The fault had already been identified last June at a conference in the Netherlands. Users are advised to use additional protection and prevent strangers from manipulating the device.
It was reported that the Kraken Security Labs team found a serious vulnerability in the KeepKey cryptocurrency cold wallets, which allowed them to find ways to extract seeds, by just having physical access to the wallet for about 15 minutes.
In the information, published on December 10th, the analysts at Kraken Security Labs note that, in order to identify the vulnerability, they conducted a voltage glitching attack through which they managed to extract the encrypted seed.
According to experts, voltage glitching attacks involve the manipulation of hardware variables and are usually used to cause temporary problems in secure devices, which manipulate or retain confidential data. In this way, the attack that was made against the hardware took advantage of the failures inherent in the microcontroller used in KeepKey.
At a technical level, Kraken Security Labs research determined that the vulnerability is based on the manufacturer’s firmware, which is the computer program establishing the logic that controls electronic circuits. Thus, the voltage glitching attack is targeted at the memory of the microcontrollers that is executed during the boot of the device, at which point the security configuration of the chip is loaded.
In this way, the researchers conclude that it is “an inherent hardware vulnerability that cannot be patched and requires that the underlying hardware be completely replaced.”
Considering this fact, the failure makes it possible to use specialized electronic devices to read encrypted data from the storage location. Then software can be used to guess the 1-9 digit PIN code by testing all possible combinations, which is how the encrypted seed was deciphered, despite being protected. The analysts explain that decryption is trivial if a “brute-force” attack is conducted. This method simply tries all possible combinations of the key, until it finds the required one.
Considering figures, letters and special characters, 62 in total, a 9-character key would require hundreds of billions of attempts (629). However, with current techniques, a supercomputer, which can test 1 billion combinations in 1 second, would need less half an hour to decrypt the seed.
The note adds that, although this type of attack requires specialized knowledge and physical access to the hardware, it is possible to create a user-friendly fault device, whose cost would be around USD 75. “Unfortunately, this means that it is difficult for the KeepKey team to do something about this vulnerability without redesigning the hardware,” they reiterate.
Known Vulnerability
It should be noted that the vulnerability of these cold wallets had already been previously identified last June at a conference held in Amsterdam, the Netherlands. Security Director Charles Guillemet made a presentation in which he mentioned the failures present in several open hardware wallets, among which is KeepKey.
In this regard, the exchange house ShapeShift, associated with KeepKey since 2017, also said that it was aware of the failure even at the time of the alliance. In a note published on its blog in June 2019 it mentioned the problem. At that time, they said that most of the wallets, including KeepKey, are designed to protect the user from more common attacks such as malware, viruses and remote hackers that seek to steal private keys. But voltage glitching attacks seek to extract the seeds differently.
In order to protect devices from this type of attack, the Kraken Security Labs team advises users to prevent other people from manipulating the cold wallet. Security measures include enabling additional BIP39 passphrases with the KeepKey customer that, despite being a bit more difficult to use in practice, are not stored on the device.
By Willmen Blanco
