We’re about to enter 2019, and hardware wallets still aren’t enforcing the protections they should be. Investors and their crypto stashes are still very much at risk, according to a new study.
A team of security researchers – Dmitry Nedospasov, Thomas Roth and Josh Datko – began examining varying cryptocurrency wallets in June to see if these wallets could be compromised or hacked. Six months later, they’re showing their findings in a new presentation at the Chaos Communication Congress.
Are Crypto Wallets Up to the Test?
Among the wallets tested were the Trezor One, the Ledger Nano S, and the Ledger Blue. The developers tested these and other wallets against both supply chain and side channel attacks, finding both chip and firmware-level vulnerabilities in the process.
One of the biggest problems came in the form of the security stickers that vendors typically use as “seals” for the wallets’ boxes and casings. If the sticker is intact, it is often assumed that the device hasn’t been tampered with or is safe to use.
However, Datko demonstrated that a malicious individual can easily remove the sticker by blasting it with a hairdryer on low heat. This pushes the sticker back without leaving any residue on the case. Datko was then able to remove the stickers from the Trezor One boxes and USB ports, leaving no glue or attaching substance behind.
Following this demonstration, Datko opened the wallets’ enclosures, gaining access to the hardware underneath. From there, he was able to replace the microcontroller, commenting:
“Once you’ve done that on the Trezor wallet devices, you can put your compromised bootloader in there.”
This later allowed Datko to connect to the chip and gain consistent access with a hardware debugger, which would allow an individual to install malicious code onto the wallet(s). He then took things further and installed what he referred to as a “cheap hardware implant” onto the Ledger wallet that allowed him to approve transactions without a user’s permission or knowledge. This is particularly dangerous in the sense that a hacker could easily garner and move illegally possessed funds and the wallet owner would never know.
What Could Happen if These Issues Aren’t Solved?
Lastly, the researchers were able to reverse-engineer firmware upgrades and find technical issues that would allow hackers to write custom firmware on the devices.
Granted these and other wallet vulnerabilities remain, 2019 could potentially start in the same way 2018 did – with another Coincheck. What a great beginning to the new year, right?
Do you believe wallet companies aren’t doing enough to protect their clients? Why or why not? Post your comments below.
Image courtesy of Shuttershock