This Popular Hardware Wallet was Hacked by a Cybersecurity Firm – Should You Be Concerned?

Community Hack Security Wallet
Last updated:
Journalist
Journalist
Sead Fadilpašić
Author Categories
About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Source: a video screenshot, Unciphered/ YouTube

OneKey, a provider of cryptocurrency hardware wallets, was successfully hacked in just one second by the cybersecurity firm, Unciphered. The wallet manufacturer claims the vulnerability in its firmware that allowed the breach has since been patched.

On February 9, Unciphered posted a video on their YouTube channel, stating that they had found “a massive critical vulnerability,” in OneKey which they managed to exploit in a single second.

Eric Michaud, a partner at Unciphered, went on to explain how the hack works, noting that the device has the central processing unit (CPU) that’s in charge of processing and “the secure element” where crypto keys are kept. The communications between these two are normally encrypted.

However, Michaud said, 

“[It] turns out it wasn’t engineered to do so in this case. We figured that out. So what you could do is put a tool in the middle that monitors the communications and intercepts them and then injects their own commands. We did that where it then tells the secure element it’s in factory mode and we can take your mnemonics out, which is your money in crypto.”

So, basically, a bad actor could insert coding after disassembling OneKey Mini, return the device to ‘factory mode’, bypass the security pin, and take the mnemonic phrase.

The team contacted OneKey, engaging the bug bounty program, and they were willing to work with Unciphered to patch the vulnerability.

OneKey responds: ‘vulnerability is fixed’

OneKey released a statement the day after the video was released, stating that “no one is affected” and that all disclosed vulnerabilities have been or are in the process of being rectified.

The wallet provider said that,

“Earlier this year, we received a responsible disclosure from cybersecurity startup Unciphered that validated a potential vulnerability in the OneKey firmware, and our hardware team has updated the security patch without anyone being affected.”

These attacks cannot be done remotely, the team stressed, arguing that an attacker would need to disassemble the device – as well as have “physical access through a dedicated FPGA device in the lab to be possible to execute.”

<oembed url=”https://twitter.com/OneKeyHQ/status/1623944436488245248[/embed]

OneKey went on to say that, while they strive for 100% security, that is unlikely to be achieved by anybody, and that white hackers and security firms have been helping them discover vulnerabilities. 

They further claimed that other wallet providers have similar problems – but that OneKey was the fastest to solve them.

“Unciphered told us that several other world-renowned hardware vendors had similar issues, while we were the most responsive team and immediately fix the issue,” said OneKey. “We also paid Unciphered bounties to thank them for their contributions to OneKey’s security.”

You can watch the demonstration of the hack in the video below.

____

Learn more: 
Leading Crypto Wallet MetaMask Reveals it Collects User Data, Faces Backlash From Community
Crypto Hackers & Fraudsters Stole $1.62 Billion in Q4 Alone

Top 10 Crypto Ransomware Attacks Took $69M in BTC Payments
$120 Million Exploit: AllianceBlock Token Price Manipulated in Oracle Hack – Here’s What Happened

More Articles

Blockchain News
Alabama Man Pleads Guilty to SEC X Account Hack and Fake Bitcoin ETF Post
Hassan Shittu
Hassan Shittu
2025-02-10 21:05:33
Press Releases
Wall Street Pepe Sells Out WEPE Tokens Early, Raising Over $73M – Listing Imminent
2025-02-10 19:51:37
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors