The US-based cybersecurity firm Unciphered claims to have successfully hacked into a Trezor T hardware crypto wallet by exploiting a hardware vulnerability.
The breach of the popular hardware wallet was made possible by physically taking apart the device using highly specialized tools.
The cracking of the hardware wallet would, in other words, only work if the attacker had physical possession of it, as well as access to advanced tools and knowledge.
Unciphered, which specializes in recovering locked crypto in cases where for instance passphrases are lost or forgotten, said they used their own “in-house exploit” method that allowed them to extract the wallet’s firmware.
This eventually enabled them to crack the necessary pin code and seed phrase, thus getting access to the funds stored on the device, the firm claimed.
Trezor T is one of the most popular crypto hardware wallets in the market today, and is made by Czech Republic-based company Satoshi Labs.
The entire process to extract the seed phrase from the Trezor was published on YouTube by Unciphered:
As the news of the hack broke, members of the crypto community on Twitter were quick to point out that a similar hack was also carried out in 2019 by experts at the hardware wallet maker Ledger.
Among those who pointed that out was Rodolfo Novak (also known as NVK), a veteran in the Bitcoin community who is also the CEO of the Bitcoin hardware wallet maker Coinkite.
According to Unciphered, however, the old vulnerability has already been addressed by Trezor, and nobody else has so far hacked the updated version of the hardware wallet with its new firmware.
Meanwhile, others on Twitter took the opportunity to question the advice given out by some last week to move funds from Ledger hardware wallets to Trezor over concerns related to Ledger’s new – and optional – “Recover” program.
“[…] if you have [a Trezor] you can keep it just make sure you have a strong passphrase and keep it up to date,” the popular crypto influencer Udi Wertheimer said.
Addressing the news of the hack, Trezor’s chief technology officer Tomáš Sušánka said in a media statement that the attack “appears to be a vulnerability called an RDP downgrade attack […].”
He added that this was communicated on the company’s blog in early 2020, and noted that these types of attacks “require physical theft of a device and extremely sophisticated technological knowledge and advanced equipment.”
Read the full article here