ShapeShift Denies Claims By Kraken That KeepKey Can be Hacked in 15 Minutes

Hardware wallet Security
Journalist
Journalist
Sead Fadilpašić
About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served...

Last updated: 
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

After cryptocurrency exchange Kraken reported a flaw in hardware wallet KeepKey, the owner of this product, crypto exchange ShapeShift replied that the report is misleading and the attack difficult to carry out.

The KeepKey hardware wallet. Source: KeepKey, Instagram

The story starts on December 10, when Kraken Security Labs published a post alleging that there are inherent flaws within the microcontroller used by KeepKey wallet, which allows seeds from the wallet to be extracted with only c. 15 minutes of physical access to it and c. USD 75-worth DIY consumer-friendly glitching device.

“It’s misleading to claim the device can be hacked in 15 minutes,” replied ShapeShift today. “Executing this attack requires significant preparation and expertise as well as specialized equipment, and assumes physical possession of the device.”

This response was somewhat short, as ShapeShift claims that the Kraken Security Team contacted them with the report in September, but that the company already addressed that issue in detail in June and in August. Speaking of which, KeepKey’s first reply actually came a few hours after Kraken’s statement, referencing these two previous responses. They shared the June post, published as a response to a presentation about extracting seeds from wallets, made by another major player in the hardware wallet industry, Ledger, in which a private key was extracted from KeepKey.

ShapeShift admitted to knowing “about an attack that yields the private key *since* before we acquired KeepKey in 2017,” and went on to describe it. There is a contradiction here between the two posts, as ShapeShift’s post today says “this was an issue we had self-identified in June 2019,” which came after the May 1 report of a vulnerability, which itself was reported in their detailed August post. We have asked ShapeShift for a clarification.

Meanwhile, ShapeShift said in June that, as with any hardware wallet, “this vulnerability is one in which an attacker would need to have physical possession of your KeepKey. KeepKey’s job is to protect your keys against remote attacks.”

All KeepKey’s/ShapeShift’s posts and Kraken’s post agree that to prevent the attack:

  • keep others away from your KeepKey;
  • enable your BIP39 passphrase with the KeepKey client.

Reactions to either and all of these posts were various: people had a number of suggestions, but also complaints starting with ShapeShifts instructions.

Some say that any device can be compromised and for cheap, and some believe that it’d be very difficult fixing this problem: “Given where the vulnerability lies, they would have to redesign the hardware part, and as they consider their field is only to protect against *remote* attacks,” said a Twitter user.

Others were worried about the security of other major wallets, particularly Trezor, with one person tweeting: “As cryptokeepkey is a Trezor clone, is there anything preventing the same attack on Trezor? I agree with NVK [Rodolfo Novak] that a secure chip is necessary for physical security. But that needs reproduciably built open-source firmware for trust minimization.”
_____

Learn more:
How to Protect Your Absolute Crypto Lifeline – Seed Words
Six Alternative Hardware Wallets to Check Out
Crypto Wallets at Their Peaks of ‘Inflated Expectations.’ What’s Next?
Turn Your Old Smartphone into Ethereum Hardware Wallet

Logo

Why Trust Cryptonews

2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors
editors
+ 66 More

Best Crypto ICOs

Discover trending tokens still in presale — early-stage picks with potential

Explore Our Tools

Smart tools made for everyday crypto users

Market Overview

  • 7d
  • 1m
  • 1y
Market Cap
$3,362,270,075,116
-5.14
Trending Crypto

More Articles

Press Releases
How to Earn Daily Rewards Using Cutting-Edge Cloud Mining Platform BCC Mining?
2025-06-18 14:21:10
Altcoin News
BlackRock’s BUIDL Fund to Become Accepted as Collateral on Crypto.com and Deribit
Amin Ayan
Amin Ayan
2025-06-18 14:10:23
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors