A group of experts has demonstrated the vulnerabilities present in hardware wallets systems; developers will launch firmware updates
Cybersecurity and ethical hacking specialists from the International Institute of Cyber Security have reported that a group of researchers has developed and published a method for hacking various hardware wallets (devices for storing cryptocurrency accounts and access keys), revealing multiple vulnerabilities in these systems.
This team of experts, composed of hardware designer Dmitry Nedospasov, software developer Thomas Roth, and cybersecurity researcher Josh Datko, recently published their research, which they dubbed ‘Wallet.Fail’.
During their presentation, the experts announced that they were able to extract the private keys of a hardware wallet developed by the company Trezor after overwriting the firmware. Experts pointed out that this exploit is only functional if the user has not set a custom password.
On the other hand, Turkey Rusnak, a representative of Trezor, posted in his Twitter account that the company was not notified about this through its vulnerability reporting program prior to the flaws’ public disclosure, adding that the company will launch a firmware update on January 2019.
The expert group also argues that it is possible to install any firmware on a hardware wallet; it was even possible to exploit this vulnerability to install a simple videogame on some devices. Cybersecurity experts also found a critical vulnerability in Ledger Blue, Trezor’s most expensive hardware wallet, which even has a colored touch screen.
Using an artificial intelligence software hosted in the cloud, the experts managed to obtain the PIN of the devices thanks to the radio signals emitted by the device that have been leaked at the moment in which the user introduces the PIN.
When they were asked about BitFi, the “inhackable” hardware wallet designed by controversial John McAfee, experts refused to comment on this device, arguing that they were “talking about devices designed to be safe, not about Chinese phones”.
A couple of months ago, an amateur hacker claimed to have hacked the BitFi device, which McAfee denied, mentioning that there is no evidence to claim that any virtual asset has been compromised due to the use of BitFi.