Kraken reveals Trezor’s secret “surprise” vulnerability

Which is more dangerous: physical attacks or forgotten passwords?

Kraken has announced that it's identified a "critical flaw" in Trezor hardware wallets, which lets people extract recovery seeds from the wallet.

To do this, an attacker needs:

• 15 minutes of physical access to the device.
• A way of cracking the encrypted seed after extraction, although Kraken describes this as "trivial". This can be done by brute-forcing the unfortunate user's 1-9 digit PIN. Kraken helpfully provided an example brute force script that can crack a 4-digit PIN in about two minutes.
• Either the requisite know-how and equipment to extract the seed from the device through voltage glitching, or a "consumer-friendly" glitching device which Kraken estimates could easily be mass-produced and sold for about $75.

If any of that sounds familiar, it might be because it's exactly the same shopping list that Kraken assembled when it disclosed a KeepKey vulnerability. Indeed, it's exactly the same attack.

The attack is of a family known as voltage glitching. The gist of it is that you tickle a computer chip with electrical currents, then while it's laughing, you push it over and steal its wallet.

Basically, the voltage glitching is used to undo some of the security measures that the devices have, which lets you induce them to cough up the supposedly confidential information, such as recovery seeds, that is stored on the device.

As with the KeepKey vulnerability, this is a particularly dangerous vulnerability because it allows for consumer-grade attacks that theoretically anyone without any experience can perform simply by following a tutorial, as long as they have one of those relatively inexpensive devices.

It also sounds a lot like a secretive "surprise" Trezor vulnerability uncovered by the Ledger Donjon security research team in early 2019. It wasn't fully revealed "due to possible implications for the whole microchip industry, beyond hardware wallets, such as the medical and automotive industries," in the words of Trezor.

The description of that surprise attack – an un-patchable issue relating to an innate vulnerability in the microcontroller, which can be mitigated through the use of a passphrase – sounds exactly like this newly-revealed vulnerability.

As such, one can conclude with a reasonable amount of confidence that a lot of people have been well aware of this vulnerability for a long time now.

Trezor speculated as much in its official response, but says:

"We are unable to confirm this with any certainty because the Donjon Team has not, to this day, shared the full details of the attack with us."

The good news, the bad news and the ugly news

The bad news is that this problem cannot be fixed. It is endemic to all Trezor hardware wallets, and as a Trezor derivative, KeepKey also inherited the same problem. This issue is specifically associated with the microcontrollers used in those wallets, which are the exact same type as the ones used the Trezor One and KeepKey and a very similar type to those used the Trezor Model T.

Ledger hardware wallets don't have the same problem as they store sensitive data in secure elements inside the devices, rather than on more general-purpose hardware. As the Ledger CTO has said on occasion, secure elements are called "secure elements" for a reason.

The good news is that you can still protect Trezors from this attack by using a passphrase. And because the passphrase itself isn't stored on the device, it won't be extracted along with the seed.

The ugly news is that your password needs to be good. The usual suspects like "password", "123456" and "swordfish" really won't cut it.

In discussing the KeepKey vulnerability, Kraken suggested that a 32-character string of uppercase and lowercase letters and numbers should do it, and the same rules probably apply here.

Trezor's own estimates are much lower though.

"By using 12 random lowercase letters as a passphrase, the attacker would have to check about 48,000,000,000,000,000 passphrases on average, before hitting the right one. An attack like this would cost an estimate of $77 million through Amazon AWS," Trezor previously noted.

Of course, Trezor passwords are "a bit clunky to use in practice", in the words of Kraken.

"The passphrase is by many considered an advanced feature, and it could certainly lead to loss of your coins if you don’t follow the recommended practices," Trezor also noted.

And once you have that password, you really can't have it stored anywhere in the same vicinity as your Trezor. Plus, as is so often the case in crypto, there is zero recourse if you lose or forget your password.

So even though it works, the passphrase system leaves a lot to be desired.

Opinion: The real problem here

Trezor also downplays the risk of physical attacks by quoting a Binance security survey to argue that "only a small portion [<6%] of cryptocurrency users are concerned about physical attacks."

This is incorrect.

The Binance survey results actually say that 6% of people named physical security as their biggest fear. It's completely different from saying that only 6% of cryptocurrency users are concerned about physical attacks.

And once you factor in pertinent questions like whether people be more concerned about physical attacks if they knew that their hardware wallet was extremely vulnerable to physical attacks, there are some good reasons to raise an incredulous eyebrow at Trezor's claims.

Common sense says it's not good to downplay the risk of physical attacks. Anytime a hardware wallet is put into a bag or a pocket and taken out into the world, it's being put at risk of a physical attack. At home, it's at risk of physical attack from burglars or anyone else in the home. In a bank safe deposit box or in the hands of any other custodian, it's at the mercy of a third party.

By downplaying these risks, Trezor is undermining the most important message here, which is that if you're using a Trezor device to store significant amounts of money, you should be using it with a complex password.

It's a heck of a lot better than KeepKey though. It claims KeepKey's sole job is to protect keys against remote attacks, but on the KeepKey website, KeepKey happily assures (lies to?) prospective buyers, explicitly saying "Have peace of mind that your funds are secure, even if you lose... your KeepKey."

To be crystal clear, that is not correct. Without a secure passphrase, your funds are at risk if you lose your KeepKey or your Trezor. And while it's a good bit fluffier, you could also argue that KeepKey's self-declared status as "the next frontier of crypto security" is just solidly, factually incorrect.

It's easy to see why Trezor wants to paint passphrases as an optional advanced feature, and it's impossible to say whether more money will eventually be lost through forgotten passwords or these kinds of voltage glitching attacks. But it's also still rather unsatisfying, and it would be nice to see some big signs around the place saying something like "Your wallet is not physically secure unless you have a secure passphrase."

While a lot of attention in crypto is giving to solving the problems of personal private key management (hardware wallets themselves are a solution to problems in private key management) much less is focused on the problems lying at the inevitable end of the road.

The problem is that better individual private key management will always come down to consumer education, but consumer education is often polluted by commercial agendas and marketing spin.

These kinds of conflicts are perfectly normal everywhere. For example, how many times has a friendly mascot told us that sugary breakfast cereal is a healthy way of starting the day?

But you have to consistently and repeatedly choose the wrong food before it starts having consequences, while making a single mistake with private key management means someone can instantly lose everything without recourse. At the same time, cybersecurity is (arguably) a much more complex space from the consumer's perspective than the choice of breakfast cereal, which breeds a lot more reliance on the hardware wallet industry itself as a source of truth.

Taken as a whole, that industry still seems to be alright — more than alright in some cases — with a few people losing their money if it means selling more wallets.

One of the original visions of Bitcoin was a world where everyone could be their own bank. This vision has been sorely tested by the sheer awfulness of being one's own bank. But a lot of people have kept on, hoping that enough education would someday be able to bridge the gap.

Crossing that bridge might be harder than it appears.

But hey, crypto custody services are booming.

Also watch

Disclosure: The author holds BNB, BTC at the time of writing.

Picture: Shutterstock