Researchers demo crypto hardware wallet vulnerabilities at tech conference

 At the 35th annual Chaos Communication Congress conference, a group of security researchers demonstrated their "WALLET.FAIL" hacking project, exploiting major crypto hardware wallets including Trezor and Ledger wallets. During the demo, the researchers were able to:

• Extract the private keys out of a Trezor One wallet.
  • The researchers note that this exploit is only possible if a user did not set a passphrase.
  • Pavol Rusnak, CTO of SatoshiLabs, the parent company of Trezor, tweeted that Trezor will release a fix for this exploit "at the end of January." 
• Remotely sign trigger transaction from a Ledger Nano S.
  • The Ledger team posted a response stating that the process to trigger a transaction is an "unpractical scenario."
• Compromise the bootloader of a Ledger Nano S to install custom firmware.
  • The researchers proved this vulnerability by running the game Snake on the device.
  • The Ledger team posted a response stating that this bug will be fixed in the next firmware update.
• Intercept the pin code of a Ledger Blue by using radio waves.
  • The Ledger team posted a response stating that this "does not allow to guess someone’s PIN in real conditions" as a victim will be required to never physically move their wallets. The Ledger team also added that this exploit will be fixed in the next firmware update.