New firmware update for Bitcoin’s Trezor hardware wallets counteracts a vulnerability associated with password management on devices. This vulnerability, which affects an extra password known as “word 25”, exposes the wallets to the hijacking of funds.
This vulnerability happens when a user enters the password to synchronize the wallet with the computer. As a consequence, the Trezor system does not require the confirmation of this password on the device.This password is an optional security factor plus the 24 words that Trezor uses as a seed. Its use is optional and serves to hide funds.
When word 25 is enabled, a mechanism is activated. Every time a user enters a wrong tem, a new address is created and is displayed as if it were the main one of the purse.
Bencum, who is part of the team that makes BitBox wallets, points out that an attacker could interfere between the data shared between the wallet and the computer, preventing the user from accessing their extra password. And since the Trezor doesn’t ask for confirmation, the user would have no way of noticing that something is working incorrectly. It would only be in front of the new wallet, without reflecting its balance in bitcoins.
Trezor vulnerability does not allow direct access to bitcoins
Thanks to the vulnerability, a potential attacker could “run a server from which the malicious wallet would obtain a false passphrase every time the user unlocks their wallet.” With this method active, it prevents the user from accessing the address with their funds before a question for a ransom is ready.
“Without the passphrase, the user has no way to regain control of the coins without the cooperation of the attacker,” adds the developer, who notified Trezor last April about this error.
The attacker could only prevent access to the funds, but since that extra password is encrypted, it would not directly access the BTC. Otherwise, instead of a hijack, you could send the bitcoins to any address you wanted.
Another Bitcoin wallet is exposed
The vulnerability exposed by Bencum did not just affect Trezor wallets. Also, the KeepKey devices, from the Shapeshift exchange, are at the same risk of funds hijacking.
However, there is no immediate interest in correcting the error at KeepKey. Bencum says he has been “in regular contact with a KeepKey representative.” The company has informed him that “they have not yet proposed a solution for development, stating that they are working first on higher priority elements,” Bencum said in his publication.
The update of Trezor follows another from June of this year. They also had to correct a vulnerability that exposed their users’ funds. In that case, they updated the firmware of their devices due to an error with the SegWit transaction management found in March.
By: Jenson Nuñez.