KeepKey hardware wallet vulnerable to “consumer-friendly” attack
The most dangerous part of this vulnerability is that it might make KeepKey users a target.
All you need is:
- 15 minutes of physical access to the wallet
- A way of cracking the seed after extraction ("but it is trivial to brute force" Kraken says)
- The specialised knowledge and hardware required to extract the encrypted seed or about $75 worth of gear assembled to create a consumer-friendly device to do this for you.
"This attack relies on voltage glitching to extract your encrypted seed, which can require specialized hardware and knowledge. We estimate that a consumer-friendly glitching device could be created for about $75," Kraken says.
That can't be good
The Ledger team has previously identified a similar attack, in which someone with a lot of specialised knowledge and equipment could extract the keys from a KeepKey. However, Kraken's version is potentially a consumer-grade attack, where anyone with a little bit of inexpensive gear can follow some written instructions to extract the funds from a KeepKey.
"While physical attacks are certainly difficult to defend against, we find this stance to be potentially out of line with [KeepKey's] branding of their product as 'The Next Frontier of Crypto Security'," Kraken says.
Can it be fixed? Is there a way to protect your device?
The attack "takes advantage of inherent flaws within the microcontroller" Kraken says. "This unfortunately means that it is difficult for the KeepKey team to do anything about this vulnerability without a hardware redesign."
In the meantime, users can protect themselves by using a long and complex passphrase. When describing how users could protect themselves against the less consumer-friendly version of this attack, Ledger suggested that at least 32 characters made up of a unique combination of numbers, symbols, uppercase and lowercase letters should do it.
At the time of writing, KeepKey hasn't responded to the latest vulnerability, but its response to the previously-reported vulnerability probably still applies here:
"KeepKey’s job is to protect your keys against remote attacks," it says. If somebody else has physical access to your device — as well as the time, skill, and tools necessary — they will always be able to command the device to do whatever they want, bypassing any digital lock that exists."
That seems like the kind of thing which should probably be mentioned among the other KeepKey general security reminders.
Opinion: What are hardware wallets for?
On the one hand, KeepKey (and other hardware wallets) can still serve a valuable function even with this vulnerability. They serve as a physical barrier of sorts, ensuring that it's not possible for hackers to remotely steal cryptocurrency from soft wallets without physical access to the hardware wallet.
Essentially, hardware wallets require you to physically push a button on the device to verify a transaction, preventing thieves from remotely draining your wallet.
On the other hand, this vulnerability highlights how hardware wallets can start posing their own risks, giving thieves a new avenue for accessing your funds with only physical access to the device.
When anyone can easily steal funds simply by getting their hands on a hardware wallet, users need to be sure they're keeping their wallet just as secure as the actual recovery seed backups. In fact, the most sensible thing to do is just keep the KeepKey device itself in the same secure location as the recovery seed backups (such as a Cryptosteel, Billfodl or Cryptotag device) at which point all of this starts getting a bit ridiculous.
Either you're leaving your KeepKey (or seed backups) way too easily-accessible and therefore not safe, or you're left with a ridiculous inconvenience every time you need to verify a transaction on your KeepKey.
It's also worth noting that the consumer-friendly nature of this potential vulnerability is a very big deal. It crosses the line where thieves may start deliberately targeting KeepKey holders, because they know they'll be able to quickly and easily extract the keys, while they have no such assurances with Ledger, Trezor or other hardware wallets.
At this point, any wealthy KeepKey devotees probably shouldn't mention that they're using a KeepKey.
Disclosure: The author holds BNB, BTC at the time of writing.