The team of Unciphered shared a video showing how he stole the private keys of a Trezor Model-T using an exploit in the hardware. The CTO of Satoshi Labs He assured that this is only possible if attackers steal the wallet and it does not have an additional key.
***
- Team of Unciphered managed to extract private keys from a TrezorModel you
- They took advantage of an exploit in the device’s hardware
- This hack only works if you have the device Trezor Model-T
- CTO of Satoshi Labs indicated that this gap is related to another reported in 2020
- He indicated that the attack is ineffective if the device is protected with an additional password.
Recently published reports indicate that the security firm Unciphered managed to successfully hack the wallet Trezor ModelT, device made by the team Satoshi Labs considered one of the safest of its kind.
They exploit vulnerability in the Trezor Model-T
This was revealed by the team Unciphered in a video posted via Youtube, where the team shows how they managed to extract the seed phrase associated with the wallet from a physical device, all this through a vulnerability present in the equipment’s hardware.
Since the vulnerability that made this possible has to do with hardware, Unciphered stressed that In order to access the seed code, it is necessary to have the device to be hacked at handTherefore, said security breach cannot be exploited remotely through the use of software.
It is worth noting that the team Unciphered already has experience doing this type of procedure, given that in February of this year they also made public how they managed to hack a physical wallet made by the team at OneKey, another company dedicated to the manufacture of this type of device.
Regarding the hack, those responsible indicated in the video that they developed a “internal exploit” on device Trezor, which allowed them to extract the firmware from the wallet. After implementing and taking advantage of other mechanisms, they were able to crack the 24-word code associated with the wallet and get hold of the respective funds.
In this regard, the co-founder of Unciphered, Eric Michaud commented on the video:
We upload the firmware we extracted to our high performance computing cracking clusters. We have about 10 GPUs and after a while we extracted the keys.
Satoshi Labs reply
After the video about the security breach was released, the security team Satoshi Labs proceeded to share some details, revealing that this demonstration by Unciphered bears certain similarities with the vulnerability reported by the researchers of Kraken Security Labs in 2020.
On this, Satoshi’s CTO Labs, Tomáš Sušánka, noted that this seems similar to a vulnerability called Read Protection Downgrade (RDP), which implies that the attacker must steal the device, handle very advanced technological knowledge and have high-end equipment.
While acknowledging that this is a present risk for users of the device, Sušánka added that for more security, users Trezor they can be protected with an additional strong password, enabling another layer of protection that completely disables this vulnerability in the event of a theft.
Despite the fact that Michaud indicated that the company would have to withdraw all its devices from the market to correct this vulnerability, Sušánka affirmed that they are taking steps to solve this problem, which would imply the development of a new security element that the team is working on. of Tropic Square, allied firm of Satoshi Labs.
Article by Angel Di Matteo / DailyBitcoin
Picture of Unsplash, edited with Canva
WARNING: This is an informative article. DiarioBitcoin is a communication medium, it does not promote, endorse or recommend any investment in particular. It is worth noting that investments in crypto assets are not regulated in some countries. They may not be suitable for retail investors, as the entire amount invested could be lost. Check the laws of your country before investing.