LIVE NOW

KeepKey hardware wallet vulnerable to “consumer-friendly” attack

Posted: 11 December 2019 12:13 pm
News

Picture not described

The most dangerous part of this vulnerability is that it might make KeepKey users a target.

It's possible to extract the seeds from a KeepKey hardware wallet, according to a report from Kraken Security Labs.

All you need is:

  • 15 minutes of physical access to the wallet
  • A way of cracking the seed after extraction ("but it is trivial to brute force" Kraken says)
  • The specialised knowledge and hardware required to extract the encrypted seed or about $75 worth of gear assembled to create a consumer-friendly device to do this for you.

"This attack relies on voltage glitching to extract your encrypted seed, which can require specialized hardware and knowledge. We estimate that a consumer-friendly glitching device could be created for about $75," Kraken says.

That can't be good

The Ledger team has previously identified a similar attack, in which someone with a lot of specialised knowledge and equipment could extract the keys from a KeepKey. However, Kraken's version is potentially a consumer-grade attack, where anyone with a little bit of inexpensive gear can follow some written instructions to extract the funds from a KeepKey.

It's worth noting that similar vulnerabilities have been found in Trezor hardware wallets and, to a less-similar and less-severe extent, in Ledger devices.

"While physical attacks are certainly difficult to defend against, we find this stance to be potentially out of line with [KeepKey's] branding of their product as 'The Next Frontier of Crypto Security'," Kraken says.

Can it be fixed? Is there a way to protect your device?

The attack "takes advantage of inherent flaws within the microcontroller" Kraken says. "This unfortunately means that it is difficult for the KeepKey team to do anything about this vulnerability without a hardware redesign."

In the meantime, users can protect themselves by using a long and complex passphrase. When describing how users could protect themselves against the less consumer-friendly version of this attack, Ledger suggested that at least 32 characters made up of a unique combination of numbers, symbols, uppercase and lowercase letters should do it.

KeepKey's response

At the time of writing, KeepKey hasn't responded to the latest vulnerability, but its response to the previously-reported vulnerability probably still applies here:

"KeepKey’s job is to protect your keys against remote attacks," it says. If somebody else has physical access to your device — as well as the time, skill, and tools necessary — they will always be able to command the device to do whatever they want, bypassing any digital lock that exists."

That seems like the kind of thing which should probably be mentioned among the other KeepKey general security reminders.

Opinion: What are hardware wallets for?

On the one hand, KeepKey (and other hardware wallets) can still serve a valuable function even with this vulnerability. They serve as a physical barrier of sorts, ensuring that it's not possible for hackers to remotely steal cryptocurrency from soft wallets without physical access to the hardware wallet.

Essentially, hardware wallets require you to physically push a button on the device to verify a transaction, preventing thieves from remotely draining your wallet.

On the other hand, this vulnerability highlights how hardware wallets can start posing their own risks, giving thieves a new avenue for accessing your funds with only physical access to the device.

When anyone can easily steal funds simply by getting their hands on a hardware wallet, users need to be sure they're keeping their wallet just as secure as the actual recovery seed backups. In fact, the most sensible thing to do is just keep the KeepKey device itself in the same secure location as the recovery seed backups (such as a Cryptosteel, Billfodl or Cryptotag device) at which point all of this starts getting a bit ridiculous.

Either you're leaving your KeepKey (or seed backups) way too easily-accessible and therefore not safe, or you're left with a ridiculous inconvenience every time you need to verify a transaction on your KeepKey.

It's also worth noting that the consumer-friendly nature of this potential vulnerability is a very big deal. It crosses the line where thieves may start deliberately targeting KeepKey holders, because they know they'll be able to quickly and easily extract the keys, while they have no such assurances with Ledger, Trezor or other hardware wallets.

At this point, any wealthy KeepKey devotees probably shouldn't mention that they're using a KeepKey.



Also watch


Disclosure: The author holds BNB, BTC at the time of writing.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Ask a question
Go to site