Security • December 28, 2018, 10:39AM EST

Researchers demo crypto hardware wallet vulnerabilities at tech conference

Read the non-AMP story on Theblock.co
The Block

 At the 35th annual Chaos Communication Congress conference, a group of security researchers demonstrated their "WALLET.FAIL" hacking project, exploiting major crypto hardware wallets including Trezor and Ledger wallets. During the demo, the researchers were able to:

  • Extract the private keys out of a Trezor One wallet.
    • The researchers note that this exploit is only possible if a user did not set a passphrase.
    • Pavol Rusnak, CTO of SatoshiLabs, the parent company of Trezor, tweeted that Trezor will release a fix for this exploit "at the end of January." 
  • Remotely sign trigger transaction from a Ledger Nano S.
    • The Ledger team posted a response stating that the process to trigger a transaction is an "unpractical scenario."
  • Compromise the bootloader of a Ledger Nano S to install custom firmware.
    • The researchers proved this vulnerability by running the game Snake on the device.
    • The Ledger team posted a response stating that this bug will be fixed in the next firmware update.
  • Intercept the pin code of a Ledger Blue by using radio waves.
    • The Ledger team posted a response stating that this "does not allow to guess someone’s PIN in real conditions" as a victim will be required to never physically move their wallets. The Ledger team also added that this exploit will be fixed in the next firmware update.