At the 35th annual Chaos Communication Congress conference, a group of security researchers demonstrated their “WALLET.FAIL” hacking project, exploiting major crypto hardware wallets including Trezor and Ledger wallets. During the demo, the researchers were able to:
- Extract the private keys out of a Trezor One wallet.
- The researchers note that this exploit is only possible if a user did not set a passphrase.
- Pavol Rusnak, CTO of SatoshiLabs, the parent company of Trezor, tweeted that Trezor will release a fix for this exploit “at the end of January.”
- Remotely sign trigger transaction from a Ledger Nano S.
- The Ledger team posted a response stating that the process to trigger a transaction is an “unpractical scenario.”
- Compromise the bootloader of a Ledger Nano S to install custom firmware.
- The researchers proved this vulnerability by running the game Snake on the device.
- The Ledger team posted a response stating that this bug will be fixed in the next firmware update.
- Intercept the pin code of a Ledger Blue by using radio waves.
- The Ledger team posted a response stating that this “does not allow to guess someone’s PIN in real conditions” as a victim will be required to never physically move their wallets. The Ledger team also added that this exploit will be fixed in the next firmware update.
The post Researchers demo crypto hardware wallet vulnerabilities at tech conference appeared first on The Block.
Researchers demo crypto hardware wallet vulnerabilities at tech conference written by Steven Zheng @ https://www.theblockcrypto.com/tiny/researchers-demo-crypto-hardware-wallet-vulnerabilities-at-tech-conference/ December 28, 2018 Steven Zheng