Trezor crypto wallets can be easily hacked in less than 15 minutes

For most cryptocurrency enthusiasts and digital forensics specialists, storing virtual assets without an Internet connection (a practice usually known as cold storage) is the most secure way to hold these resources, as outside of the network security keys are not exposed to cybercriminals.

One of the main tools for cold storage is the hardware wallet, a kind of USB drive with advanced protections, specially designed for cryptocurrency storage. Relatively recently, the technology company Trezor launched its hardware wallet, which quickly became one of the most popular products among fans of the use of virtual currencies.

Despite its advanced security features, in October 2019 digital forensics firm Kraken Security notified Trezor of a critical security flaw in its Trezor One and Trezor Model T models.

The vulnerability reported to Trezor is related to the chips used by the company. According to digital forensics experts, these chips were designed for conventional computer equipment, so they do not have a complete security environment; besides, the flaw exists due to the physical conditions of these chips. As if that weren’t enough, the researchers mention that the attack can be completed in less than 15 minutes.  

The International Institute of Cyber Security (IICS) notes that, because it is a flaw in the physical structure of the processing chips of these devices, it is impossible for Trezor to implement a fix via software updates, so the company has had to devise alternative solutions to prevent physical attacks against virtual asset holders.

The main recommendation for Trezor users is caution. Since the attack requires physical access to the device, protecting it in a secure location completely mitigates the risk of attack. However, the company strongly asks its users to enable the password feature, which will protect the information stored inside the physical wallet. As mentioned in the report published by Trezor, this feature was specifically designed to prevent the loss of virtual assets in the event of a physical attack.