This Popular Hardware Wallet was Hacked by a Cybersecurity Firm – Should You Be Concerned?
OneKey, a provider of cryptocurrency hardware wallets, was successfully hacked in just one second by the cybersecurity firm, Unciphered. The wallet manufacturer claims the vulnerability in its firmware that allowed the breach has since been patched.
On February 9, Unciphered posted a video on their YouTube channel, stating that they had found “a massive critical vulnerability,” in OneKey which they managed to exploit in a single second.
Eric Michaud, a partner at Unciphered, went on to explain how the hack works, noting that the device has the central processing unit (CPU) that’s in charge of processing and “the secure element” where crypto keys are kept. The communications between these two are normally encrypted.
However, Michaud said,
“[It] turns out it wasn’t engineered to do so in this case. We figured that out. So what you could do is put a tool in the middle that monitors the communications and intercepts them and then injects their own commands. We did that where it then tells the secure element it’s in factory mode and we can take your mnemonics out, which is your money in crypto.”
So, basically, a bad actor could insert coding after disassembling OneKey Mini, return the device to ‘factory mode’, bypass the security pin, and take the mnemonic phrase.
The team contacted OneKey, engaging the bug bounty program, and they were willing to work with Unciphered to patch the vulnerability.
OneKey responds: ‘vulnerability is fixed’
OneKey released a statement the day after the video was released, stating that “no one is affected” and that all disclosed vulnerabilities have been or are in the process of being rectified.
The wallet provider said that,
“Earlier this year, we received a responsible disclosure from cybersecurity startup Unciphered that validated a potential vulnerability in the OneKey firmware, and our hardware team has updated the security patch without anyone being affected.”
These attacks cannot be done remotely, the team stressed, arguing that an attacker would need to disassemble the device – as well as have “physical access through a dedicated FPGA device in the lab to be possible to execute.”