chepicap.com
At the 35th Chaos Communication Congress, researchers behind the 'Wallet.fail' hacking project, reportedly demonstrated how they were able to hack the Trezor One, Ledger Nano S and Ledger Blue hardware wallets.
The researchers announced during the conference, that they were able to extract the private key out of a Trezor One hardware wallet after overwriting existing data. They did point out, however, that this only works if the user didn’t set a passphrase.
Hardware designer and security researcher Dmitry Nedospasov, software developer Thomas Roth and security researcher and former submarine officer Josh Datko, demonstrated the hack in a published video.
The CTO of SatoshiLabs, Pavol Rusnak, responded to the hack on Twitter by saying that they were not informed through their Responsible Disclosure program beforehand, and that they will address the reported vulnerabilities through a firmware update at the end of January.
With regards to #35c3 findings about @Trezor: we were not informed via our Reponsible Disclosure program beforehands, so we learned about them from the stage. We need to take some time to fix these and we'll be addressing them via a firmware update at the end of January.
— stick⚡Pavol Rusnak @ 35c3 (@pavolrusnak) December 28, 2018
Please keep in mind that this is a physical vuln. An attacker would need physical access to your device, specifically to the board—breaking the case.
— Trezor (@Trezor) December 28, 2018
If you have physical control over your Trezor, you can keep on using it, and this vulnerability is not a threat to you.
The 'hackers' further claimed that they were able to install any firmware on the most popular Ledger Nano S.
'We can send malicious transactions to the ST31 and even confirm it ourselves or we can even go and show a different transaction (so not the one that is actually being sent) on the screen.'
The research team claimed that they found as well a vulnerability in the Ledger Blue. The signals that are transported to the screen leaks those signals as radio waves and can be easily received from several meters when a USB cable is attached to the device.
However, Ledger denied the claims that critical vulnerabilities were uncovered on their Ledger devices.
'In particular they did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure.'
'Don’t worry', they say. 'Your crypto assets are still secure on your Ledger device.'
Yesterday, the https://t.co/qbY5avXAsw team held a presentation on potential vulnerabilities of hardware wallets. While the attacks shown on Ledger devices were not of a practical nature, we would like to provide you with some more insight
— Ledger (@LedgerHQ) December 28, 2018
Read more here: https://t.co/jqHnJVzeU9
The crypto community seems to respond with confidence.
Amazing response. I got more confidence on my ledger now. Thank you.
— CrypticSoul (@24CrypticMind) December 28, 2018
Professional response. Thank you. You are the industry standard.
— Cryptopresence (@cryptopresence) December 28, 2018
Do you feel your crypto on these devices is in danger of being stolen? Let us know in the poll below.