Hardware Wallet Attacks Demoed at 35c3 Conference

Hardware Wallet Attacks Demoed at 35c3 Conference

Today, wallet.fail, a Berlin-based team of security researchers, demonstrated successful physical-access attacks against popular hardware wallet devices from Trezor and Ledger. The presentations highlighted anew that, via certain vectors, such wallets aren’t totally impenetrable to determined hackers who have direct access to their targets. 

Update 12/28/2018: Ledger has since asserted that wallet.fail demonstrated impractical and non-critical attacks in their 35c3 presentation. Trezor has also said that users with control over their devices have nothing to worry about and that an associated firmware update is coming.

Also see: Electrum Wallet Spear Phishing Campaign Nabs Bitcoin Bonanza

Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts

Researchers Explored Physical Access Possibilities in Hardware Wallet Demos

During a December 27th presentation dubbed “Poof goes your crypto” at the 35th Chaos Communication Congress in Leipzig, the three-person wallet.fail team successfully demonstrated a series of varying attacks against popular Trezor and Ledger hardware wallets.

wallet.fail, which is comprised of security experts Josh Datko, Dmitry Nedospasov, and Thomas Roth, took to the conference to show that the hardware wallet industry could use further steeling and optimizing.

The Trezor One, a beloved hardware wallet in the space. Image via Trezor Blog

“The attacks that we perform against the hardware wallets range from breaking the proprietary bootloader protection, to breaking the web interfaces used to interact with wallets, up to physical attacks including glitching to bypass the security implemented in the microcontrollers of the wallet,” the researchers have declared.

“Our broad look into several wallets demonstrates systemic and recurring issues.”

The Devil’s in the Details, But It’s Not the End of the World

Specifically, some of the exploits wallet.fail demonstrated included the following, per Parity Technologies developer Afri Schoedon, who was present for the demos:

Moreover, the researchers highlighted the five separate genres of vulnerabilities that could be probed, individually or in combination, for hardware wallet attacks. The genres were:

  • Architectural vectors
  • Firmware vectors
  • Hardware vectors
  • Physical vectors 
  • Software vectors 

“The vulnerabilities we [presented] range from vulnerabilities that can be fixed in a firmware upgrade, to bugs that will require a new hardware revision, up to attacks on the microcontrollers themselves, requiring new silicon to be fixed,” wallet.fail has noted.

From here, then, there’s sure to be a little soul-searching done in the hardware wallet industry. The good news, of course, is that average users will likely never face such attacks because other people simply won’t have physical access to their devices in most cases.

Moreover, Ledger itself has since highlighted that many of wallet.fail’s demonstrated exploits were either impractical or non-critical in nature.

“In particular they did not succeed to extract any seed nor PIN on a stolen device,” the Ledger team said in a follow-up post titled “Still Got Your Crypto.”

For their part, Trezor has said a firmware update is coming for their devices in January 2019 and, like Ledger, asserted that wallet.fail did not use responsible disclosure practices in their presentation.

The Trezor team also said that physical attacks aren’t a serious threat for anyone maintaining control of their own Trezor device.

Whatever happens in the industry from here, researchers are going to keep showing what’s possible so long as these potential vulnerabilities — both big and small — exist.

What’s your take? What’s the optimal way to secure your hardware wallet? Let us know in the comments section below. 


Images via ExerciseTech, Trezor Blog

Related News