Unciphered, a company of cybersecurity professionals who recover lost cryptocurrency, says it found a way to physically hack into the Trezor T hardware wallet. Trezor says it acknowledged a similar-sounding attack vector a few years ago.
![Unciphered lab opening Trezor wallet](https://www.coindesk.com/resizer/l8mKOcqAtwzsKqY4iF2rVYkNZMQ=/1056x594/filters:quality(80):format(jpg)/cloudfront-us-east-1.images.arcpublishing.com/coindesk/O5DUYMRBNVAFHCHSYEXEKXCJUU.jpeg)
Unciphered lab technician decasing the Trezor T. (Unciphered)
A company of cybersecurity professionals who specialize in recovering lost or stolen cryptocurrency say they have found a way to hack into the popular Trezor T hardware wallet once itâs in their physical possession.
Unciphered told CoinDesk in an extensive series of conversations and over email it made use of an âunpatchable hardware vulnerability with the STM32 chip that allows us to dump the embedded flash and one-time programmable (OTP) data.â
Thatâs all pretty technical, but the team did perform a laboratory demonstration â and documented it in a video â that it was able to hack into a Trezor T wallet supplied by CoinDesk and successfully retrieve our seed phrase and pin. Unciphered has previously hacked the EthereumWallet and recovered locked up crypto, though they claim on their website that they âdo support every wallet in the market.â
Trezor told CoinDesk that its team didnât have enough details about the specific attack Unciphered performed to respond fully, but noted that it looked like an âRDP downgrade attack,â which was publicly flagged as a risk three years ago.
A press representative for the hardware wallet maker said they were unaware of any attempts by Unciphered to reach out directly, even though, "as communicated on our blog in early 2020, RDP downgrade attacks require physical theft of a device and extremely sophisticated technological knowledge and advanced equipment.â
Trezor added that âeven with the above, Trezors can be protected by a strong passphrase, which adds another layer of security that renders a RDP downgrade useless.â
Hardware wallets are suddenly in focus as a result of the recent public backlash against the rival maker Ledger over its proposed optional ârecovery option,â which infuriated some users who had understood the device to be fully isolated. Many longtime crypto security experts have recommended hardware wallets as a safer place to store assets than keeping them on exchanges â especially after last yearâs collapse of Sam Bankman-Fried's FTX exchange â but the latest revelations show that the devices arenât foolproof either.
Unciphered said it wouldnât confirm or deny whether its hack of the Trezor T would be considered an RDP downgrade, citing âcurrent engagements and non-disclosure agreementsâ that restrict elaboration on âhow this exploit chain works at this time.â
âFurther, any technical disclosure would put Satoshilabs customers at potential risk till mitigations such as a new chip is utilized other than the STM32 in current use,â according to Unciphered.
Unciphered pointed out that, even though Trezor is aware that the Trezor T model has a vulnerability in its STM32 chip, the company has not done anything to fix that since the initial effort to publicize the risk.
âThe fact remains that through this article they are trying to put the responsibility of securing their device on the customer rather than taking the responsibility of admitting that their device is fundamentally insecure,â Unciphered wrote in an email to CoinDesk.
According to Trezor: âContrary to Uncipheredâs claims, Trezor has already taken significant steps to resolve this with the development of the worldâs first auditable and transparent secure element through sister company Tropic Square.â
A company of cybersecurity professionals who specialize in recovering lost or stolen cryptocurrency say they have found a way to hack into the popular Trezor T hardware wallet once itâs in their physical possession.
Unciphered told CoinDesk in an extensive series of conversations and over email it made use of an âunpatchable hardware vulnerability with the STM32 chip that allows us to dump the embedded flash and one-time programmable (OTP) data.â
Thatâs all pretty technical, but the team did perform a laboratory demonstration â and documented it in a video â that it was able to hack into a Trezor T wallet supplied by CoinDesk and successfully retrieve our seed phrase and pin. Unciphered has previously hacked the EthereumWallet and recovered locked up crypto, though they claim on their website that they âdo support every wallet in the market.â
A press representative for the hardware wallet maker said they were unaware of any attempts by Unciphered to reach out directly, even though, "as communicated on our blog in early 2020, RDP downgrade attacks require physical theft of a device and extremely sophisticated technological knowledge and advanced equipment.â
Trezor added that âeven with the above, Trezors can be protected by a strong passphrase, which adds another layer of security that renders a RDP downgrade useless.â
Hardware wallets are suddenly in focus as a result of the recent public backlash against the rival maker Ledger over its proposed optional ârecovery option,â which infuriated some users who had understood the device to be fully isolated. Many longtime crypto security experts have recommended hardware wallets as a safer place to store assets than keeping them on exchanges â especially after last yearâs collapse of Sam Bankman-Fried's FTX exchange â but the latest revelations show that the devices arenât foolproof either.
Unciphered said it wouldnât confirm or deny whether its hack of the Trezor T would be considered an RDP downgrade, citing âcurrent engagements and non-disclosure agreementsâ that restrict elaboration on âhow this exploit chain works at this time.â
âFurther, any technical disclosure would put Satoshilabs customers at potential risk till mitigations such as a new chip is utilized other than the STM32 in current use,â according to Unciphered.
Unciphered pointed out that, even though Trezor is aware that the Trezor T model has a vulnerability in its STM32 chip, the company has not done anything to fix that since the initial effort to publicize the risk.
âThe fact remains that through this article they are trying to put the responsibility of securing their device on the customer rather than taking the responsibility of admitting that their device is fundamentally insecure,â Unciphered wrote in an email to CoinDesk.
According to Trezor: âContrary to Uncipheredâs claims, Trezor has already taken significant steps to resolve this with the development of the worldâs first auditable and transparent secure element through sister company Tropic Square.â
Alternative options to hardware wallets
It bears emphasizing that Uncipheredâs vector of attack only works with the device in the hackerâs physical possession.
âSecurity is that the threat can often be coming from inside the house,â said Nick Federoff, head of marketing at Unciphered. âWe can be our own worst enemy. So this is a huge part of it.â
When a user sets up a hardware wallet, the wallet generates a random set of 12 or 24 words, known as a seed phrase, that allows access to the assets on the wallet.
As part of Uncipheredâs effort to demonstrate its capability, company officials asked CoinDesk to acquire a new Trezor T wallet, set it up with our own seed phrase and write that down somewhere safe. We then sent it via a secure mailing option to Uncipheredâs lab, where they then proceeded to hack into it (recording some of the steps on a video) and ultimately were able to retrieve our seed phrase and pin. The extra step of involving CoinDesk was suggested by the Unciphered team as a way of providing assurance that the procedure wasnât faked or that the device wasnât compromised by a previous owner.
The device retails for $219 on the company's website.
Unciphered acknowledged that it had not contacted Trezor to notify them about the vulnerability prior to attempting to publicize it via an article on CoinDesk; often, such âwhite hatâ hackers will work more cooperatively. âUnciphered has not contacted Trezor whether through our responsible disclosure program or otherwise,â said a press representative at Trezor.
Unciphered told CoinDesk that they had not contacted Trezor because âour obligations are to consumers instead of vendors, who have vested interests in selling more products, regardless of how vulnerable those products make the customers who use them.â
By Margaux Nijkerk | Original LinkÂ