ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us

Prominent Wallets Proven Hackable, But Don’t Worry Too Much

By

Alison

Berreman

WriterETHNews.com

If you’re keeping your wallets out of the hands of hackers, you’re probably fine.

In a presentation given on Thursday, December 27, at the 35th Chaos Communication Congress in Leipzig, Germany, security researchers Thomas Roth, Dmitry Nedospasov, and Josh Datko demonstrated what they describe as "systemic and recurring" security vulnerabilities in common hardware wallets, including the Ledger Nano S, Ledger Blue, and Trezor One.

Roth demonstrated that the Ledger Nano S contains a firmware vulnerability wherein, if exploited, malicious transactions can be sent and confirmed through the device. Roth noted that Ledger has already recognized the potential vulnerability and attempted to address it. However, with a bit of ingenuity, the research team was able to bypass the protections and exploit the vulnerability.

In response, Ledger published an in-depth blog post intended to assure customers that the bug exposed in the demonstration "has been solved in the next firmware version."

Roth also exposed a vulnerability with the Ledger Blue, wherein the device's PIN can be revealed with roughly 90 percent accuracy. This hack was pretty involved, but using artificial intelligence and cloud technology, the team was able to publicly share the hack on Google Cloud, albeit "with a limited dataset that is trained on a very close base," said Roth. "You cannot do anything super malicious with it, but it's nice to play around and see how this was done."

Ledger responded, "This attack is a bit unrealistic and not practical." If someone really wanted the PIN, Ledger suggested, it would be easier "to put a camera in the room and record the user entering his/her PIN." The post also assured customers that Ledger had "already implemented a randomized keyboard for the PIN on the Ledger Nano S, and the same improvement is scheduled in the next Ledger Blue Firmware update."

The researchers then demonstrated how they were able to reveal the seed phrase and PIN stored in a Trezor One wallet. They admitted that discovering how to execute the attack took months, but they said that anyone who wished to could use the strategy they discovered with relative ease. They also stated that they would post a how-to on GitHub. However, Roth added that if the device's owner used a "good passphrase" on their Trezor One wallet, they could "somewhat protect against this, but a lot of people don't, so we are really sorry," he chuckled. "We didn't mean any harm."

Additionally, the researchers have promised to post their methods on their website, wallet.fail.

Pavol Rusnak, chief technology officer of SatoshiLabs, which is the creator of Trezor, posted on Twitter after the talk:

Rusnak attempted to assure Trezor owners that Trezor One wallets were in fact safe to use because an "attacker would need physical access to the device and its board" to execute the attack. A few hours later, Trezor told customers via Twitter:

"[Y]ou can enable the passphrase feature, intended for additional protection against physical attacks. However, this is an advanced option and you should know how it works before opting for it. Loss of passphrase will lead to loss of funds."

Alison Berreman

Alison has a master’s in English from the University of Wyoming. She lives with her pooch in Reno. Her favorite things to do include binge listening to podcasts, getting her chuckles via dog memes, and spending as much time outside as possible.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest hack, hardware wallet or other Ethereum wallets and exchanges news.