Hacking Hardware Bitcoin Wallets: Extracting the Crypto Seed from a Trezor
It has long been widely accepted that one of the safest places to keep your cryptocurrency holdings is in a hardware wallet. These are small, portable devices that encrypt your keys and offer a little more peace of mind than keeping your coins in a flexible or web wallet.
But of course, as we know, nothing is completely secure.
And we were reminded of this fact by Kraken Security Labs, when they showed us how they bypassed all the backups in a popular wallet, the Trezor, to empty and decrypt its seed.
It should be noted that the hack requires physical access to the wallet - even if it's only worth about fifteen minutes. And by “physical access” we mean that hacking leaves the device completely mutilated. The Kraken team started by unsoldering the core of the wallet, an STM32 processor. They then dropped it into a socket on an interface board and started glitching.
The hack relies on an attack known as the tension glitch. Essentially, at some point during the device's startup sequence, the supply voltage is fluctuating. This activates the chip's factory bootloader, which can read the contents of its on-board flash memory. Memory is read-protected, but can be accessed 256 bytes at a time due to a second voltage problem. None of these attacks work 100% of the time, so if the device does not start or the memory remains locked, the FPGA performing the attacks simply tries again. After enough iterations, the Kraken team was able to completely empty the chip's flash memory.
There's another hurdle here: the core dump is encrypted. Enter hard forcing. Trezor devices allow a maximum PIN code length of nine digits, but if you assume that the average user's PIN is only four digits, it can be guessed through an automated script within minutes. Even a longer brooch can be crafted in a matter of days or weeks - certainly within the realm of the possible. This gives the seed, which could then be entered into a new hardware wallet to effectively steal all of the cryptocurrency assets that lived on the original device.
So other than a few hardware hacking techniques, what can we learn from the work of the Kraken Security Lab? First of all, for all designers, the STM32 is not suitable for high security applications. For all end users, that doesn't mean you need to delete your Trezor (although this isn't the first wallet hack we've seen). This means you need to keep it away from other people and you need to activate the BIP39 passphrase, which Kraken says can protect against the attack. Perhaps more importantly, it serves as a reminder to all of us that nothing is 100% secure.
