With physical access to the device you can extract the seed in only 15 minutes. But there is a way to protect your crypto currency.
The security research team at Kraken has found a way to hack into the popular hardware Wallet Trezor. But the whole thing only works if the hacker has the wallet in his hands and not over the Internet. In order for a hacker to carry out such an attack, the right equipment and knowledge is needed to penetrate the Trezor.
So if the hardware wallet is lost, the right person can extract the recovery words stored in it. According to Kraken Security Labs, hacking a Trezor wallet is possible by using cheap equipment. By using a peak voltage based attack, hackers can extract the seed from the wallet. Whoever owns the seed also owns all the crypto currencies that belong to that seed.
The security team explains:
“This attack is based on a voltage glitch to extract an encoded seed. The first attack required some know-how and several hundred dollars in equipment, but we estimate that we (or the criminals) could mass produce a consumer-friendly glitching device that could be sold for about $75.”
Can the problem be solved?
The part of the wallet that triggers this vulnerability is the hardware side. The structure of the chip, which according to Kraken is not designed to store data securely, makes the wallet open to attack by voltage spikes.
Kraken Security Labs said so:
“The attack exploits the inherent flaws of the microcontroller used in the Trezor wallet. Unfortunately, this means that it is difficult for the Trezor team to do anything about this vulnerability without redesigning the hardware.”
For Trezor, apart from integrating newly developed chips into new hardware wallets to prevent the attack, there is little the company can do with existing models.
No need to panic, there is a way to prevent such an attack
In a detailed blog post, the Trezor team noted that the entire attack can be defused if the user has a strong passphrase. Simply put, using the passphrase feature of a Trezor device can protect the hardware wallet from potential voltage spike attacks.
The Trezor Team writes in the article:
“It is important to note that this attack is only feasible if the passphrase function does not protect the device. A strong passphrase completely restricts the possibilities of a successful attack.”
The passphrase function is an exceptionally secure layer of active protection and, when used correctly, an impenetrable solution to physical attacks. The main advantage of the passphrase is that it is not stored anywhere in the device and therefore cannot be extracted by a third party. At the same time, there is a risk that if the passphrase is lost or forgotten, there is no one left to help recover the passphrase.