Turkish Crypto Exchange Thodex CEO Faruk Özer Sentenced to 11,196 Years in Prison for Collapse

DeFi and Credit Risk

International Regulatory Authorities Unveil Comprehensive Global Cryptocurrency Policy Blueprint

A team of cybersecurity experts, specialized in retrieving lost or stolen cryptocurrency, claim to have discovered a method to breach the renowned Trezor T hardware wallet when it is physically accessible to them.

In a comprehensive series of discussions and email exchanges with CoinDesk, Unciphered revealed that they utilized an “unpatchable hardware vulnerability with the STM32 chip that allows us to dump the embedded flash and one-time programmable (OTP) data.”

While the content is quite technical, the team managed to conduct a laboratory demonstration and recorded a video showing their successful hacking of a Trezor T wallet provided by CoinDesk. They were able to retrieve the seed phrase and pin without difficulty. It's worth mentioning that Unciphered has a track record of hacking into EthereumWallet and successfully recovering locked-up cryptocurrencies. On their website, they boldly state that they “do support every wallet in the market.”

Trezor informed CoinDesk that their team lacked sufficient information regarding the specific attack carried out by Unciphered to provide a comprehensive response. However, they acknowledged that it appeared to be an "RDP downgrade attack," a risk that was publicly identified three years ago.

A press representative for the hardware wallet maker said they were unaware of any attempts by Unciphered to reach out directly, even though, "as communicated on our blog in early 2020, RDP downgrade attacks require physical theft of a device and extremely sophisticated technological knowledge and advanced equipment.”

Trezor added that “even with the above, Trezors can be protected by a strong passphrase, which adds another layer of security that renders a RDP downgrade useless.”

Hardware wallets have gained sudden attention due to the recent backlash faced by Ledger, a competing manufacturer, over its controversial "recovery option" proposal. This move angered certain users who believed the device was completely isolated. While hardware wallets have been recommended by experienced cryptocurrency security experts as a safer alternative to keeping assets on exchanges, particularly following the collapse of Sam Bankman-Fried's FTX exchange last year, the latest revelations indicate that these devices are not entirely immune to vulnerabilities.

Unciphered said it wouldn’t confirm or deny whether its hack of the Trezor T would be considered an RDP downgrade, citing “current engagements and non-disclosure agreements” that restrict elaboration on “how this exploit chain works at this time.”

“Further, any technical disclosure would put Satoshilabs customers at potential risk till mitigations such as a new chip is utilized other than the STM32 in current use,” according to Unciphered.

Unciphered pointed out that, even though Trezor is aware that the Trezor T model has a vulnerability in its STM32 chip, the company has not done anything to fix that since the initial effort to publicize the risk.

“The fact remains that through this article they are trying to put the responsibility of securing their device on the customer rather than taking the responsibility of admitting that their device is fundamentally insecure,” Unciphered wrote in an email to CoinDesk.

According to Trezor: “Contrary to Unciphered’s claims, Trezor has already taken significant steps to resolve this with the development of the world’s first auditable and transparent secure element through sister company Tropic Square.” 

Alternative options to hardware wallets

It is important to emphasize that Unciphered's method of attack only functions when the hacker has physical access to the device.

“Security is that the threat can often be coming from inside the house,” said Nick Federoff, head of marketing at Unciphered. “We can be our own worst enemy. So this is a huge part of it.”

When a user initializes a hardware wallet, the wallet creates a randomly generated set of 12 or 24 words called a seed phrase, which grants access to the assets stored within the wallet.

As part of its endeavor to showcase its capabilities, Unciphered approached CoinDesk with a request to obtain a new Trezor T wallet. We were instructed to set it up using our own unique seed phrase and ensure its secure storage. Following the setup, we securely mailed the wallet to Unciphered's laboratory. Once received, the Unciphered team proceeded to carry out a comprehensive hacking test on the device, documenting the process on video. Ultimately, they successfully retrieved both our seed phrase and pin. The involvement of CoinDesk in this process was suggested by the Unciphered team to provide reassurance that neither the procedure was falsified nor the device compromised by a previous owner.

The device retails for $219 on the company's website.

Unciphered acknowledged that it had not contacted Trezor to notify them about the vulnerability prior to attempting to publicize it via an article on CoinDesk; often, such “white hat” hackers will work more cooperatively. “Unciphered has not contacted Trezor whether through our responsible disclosure program or otherwise,” said a press representative at Trezor.

Unciphered told CoinDesk that they had not contacted Trezor because “our obligations are to consumers instead of vendors, who have vested interests in selling more products, regardless of how vulnerable those products make the customers who use them.”

Source Coindesk