This Team Showed Weak Spots of Ledger and Trezor Wallets (UPDATED)
On Thursday, at the 35th Chaos Communication Congress in Leipzig in a presentation dubbed “Poof goes your crypto,” a team called wallet.fail demonstrated a series of attacks against popular Trezor and Ledger hardware wallets, showing that even hardware wallets can be compromised by criminals who have direct access to their targets. (Updated with Ledger's response in the second section of the article.)
The team, comprised of three security experts, Josh Datko, Dmitry Nedospasov, and Thomas Roth, says they have long worked on the issue and recognized four types of attacks, all of which were present and exploitable in these hardware wallets:
- Supply chain attacks: manipulating devices before they get to the customer.
- Firmware vulnerability: finding a vulnerability in the firmware that you can either infect or compromise in some other way.
- Side-channel attack: a form of reverse engineering that takes advantage of the information leakage from electronic circuitry.
- Chip-level vulnerability: a weakness in the chip of the device that can be exploited.
The presentation goes on to point out that so-called security stickers that serve to prove that the packaging of the hardware wallet has not been tampered with are actually quite easy to remove (and even counterfeit) - so supply chain attacks are very possible. These include installations of various hardware devices like antennae in the wallets, which can be very hard to recognize for the untrained eye, but are not very scalable which makes them less likely to occur.
However, Ledger notifies their customers that there is no anti-tampering sticker on a box, as a "cryptographic mechanism checks the integrity of your Ledger device's internal software each time it is powered on." They also add that "the Secure Element chip prevents any interception or physical replacement attempt."
As for firmware vulnerabilities, according to wallet.fail, the Ledger Nano S wallet has a so-called “f00dbabe” bootloader (a piece of code that runs before any operating system is running) vulnerability - a tech savvy malicious actor could “make place” for his code by exploiting this vulnerability. In short, it is possible to make a code designated for stealing run before anything else on the hardware wallet runs, just by turning it on.
For a side-channel attack, they catch the radio signals emitted by the device and analyze them to figure out what is sent to the display of the device. One setback is that they have to be physically close to you and your wallet for this to be possible, even to have physical access to it. It is also possible to train artificial intelligence to differentiate among the signals, saving a lot of human work.
The chip-level vulnerability may be the most obvious one: compromising a single, distinct microcontroller means compromising the whole device. Although this vulnerability in the case of Trezor had been previously patched for one kind of attack, it still remains open to other attacks, the researchers claim. The team demonstrates how to perform one of them using cheap materials.
The wallet.fail team also promised to publish their data on their website, as well as GitHub, a software development platform, for any interested parties to look into, as well as providing some insight into what needs to change to build more resilient hardware wallets.
Watch the whole presentation below:
Ledger responded with a detailed blog post, stressing that wallet.fail "presented 3 attack paths which could give the impression that critical vulnerabilities were uncovered on Ledger devices. This is not the case."
According to the company, "in particular they did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure."
We'll update the article, should Trezor reply to our request for comment.
Keep your wallet safe
As for protecting yourself in the meantime, one small blessing is that all the attacks shown by the team, even if they are possible, imply that the malicious parties have had physical access to your device. If your device is delivered properly and you can reasonably believe it has not fallen victim to a supply chain attack, all you need to do is keep it safe and maybe even not tell anyone you own it.
The community also points out that these types of attacks are less likely to happen to real-world victims, but are important enough to warrant the attention of manufacturers, who should have their customers’ best interests at heart at all times.
Think of a hardware wallet as a single condom for your Bitcoins. Correct usage can protect you from the vast majority of unwanted pregnancies. But it won't protect you against a mean ex-girlfriend with physical access to your condoms. 3/4— Felix Weis ⚡ (@FelixWeis) December 28, 2018
Also, Reddit user u/cryptroop writes, “[...] The amount of security you have should be proportional to the amount of wealth you hold in crypto.”
User u/lnwlf177 points out the difference between fiat, and thus centralized financial systems, and crypto: “Meanwhile, credit cards have the private key printed on the front of a card, the password on the back, in plain text, and you carry it in your wallet everyday,” and u/mydanger adds, “The difference is that the banks will reimburse you, whereas a hacked crypto wallet is on you.”
In a recent interview with Cryptonews.com, Marek Palatinus, the CEO of SatoshiLabs (and maker of the Trezor hardware wallet), said that the company "is working on allowing the usage of SD cards with Trezor Model T to protect the encrypted passwords and files of our users. Additionally, security innovations are coming for those who want more - recovery seed splitting for additional safety of funds."
Nonetheless, Palatinus warns that cold storage wallets will still have one potential point of failure, which hackers could increasingly target in the coming year.
"The only spot the attackers can focus on is the human element - that is, the users," he said. "And I do not think that this is going to change anytime soon."