Cybersecurity company Unciphered cracks Trezor cold wallets! PIN code and mnemonic phrase can both be extracted.
The cybersecurity company Unciphered uploaded a decryption video today, demonstrating the successful cracking of the PIN code and recovery seed of a cold wallet developed by Trezor within minutes after disassembling and connecting it to a computer. In light of this vulnerability, Unciphered recommends Trezor to recall the product.
Table of Contents
Trezor Cold Wallet Cracking Process
In the Unciphered video demonstrating the cracking of a cold wallet, technician Eric Michelle first disassembles the Trezor T, removes the chip, installs it on an adapter board for soldering, and then connects it to a computer to initiate the cracking process.
After a short period of time, the cold wallet's PIN code is cracked, and the mnemonic phrase is extracted.
Eric explained that he used an attack program developed by his team to extract the firmware, which was then uploaded to a high-performance computer cluster consisting of approximately 10 GPUs for cracking.
Furthermore, Eric mentioned that the vulnerability in Trezor T cannot be patched through a firmware upgrade. To address this issue, he suggested that Trezor's developer, SatoshiLabs, recall the product.
Note: This is not the first time Unciphered has cracked a cold wallet; they also cracked a cold wallet from OneKey in February of this year.
Trezor's Response to the Cracking Video
According to a report by The Block, Trezor acknowledges that the cracking video is similar to the Read Protection Downgrade Attack discovered by Kraken's Security Labs in 2019, a vulnerability that was first identified and affects both the Trezor One and Trezor T cold wallets.
Trezor's CTO, Tomáš Sušánka, stated:
"As stated in our early 2020 article, the Read Protection Downgrade Attack requires physical access to the device, considerable technical knowledge, and advanced equipment. Even in such a scenario, Trezors can be protected through the use of passphrase mnemonic feature, providing an additional layer of security."
Additionally, Trezor mentioned that they are collaborating with their sister company, Tropic Square, to develop more secure hardware chips for storage devices to prevent future issues.
Related
- US government crypto wallet hacked, $20 million: 2016 Bitfinex hacker asset movement
- U.S. Senate Warns Tech Industry to Thwart Russia's False Information Attacks: "Everyone Around You Could Be an Actor"
- TON loses assets? Telegram Wallet rumored to lock funds with 50% annualized coin earning, customer service only responds with canned messages