Crypto Frontline

Up until a year ago, hardware wallets were considered to carry the highest level of security, but a series of researches had proven that even when using them, there could be some vulnerabilities exploitable by hackers.

Vulnerabilities in Ledger and Trezor, two of the most popular hardware wallets, had been uncovered in the past, but a fresh report released by the Kraken exchange suggests that KeepKey might be another wallet exposed to risks.

What is voltage glitching?

According to a recent post from the Kraken blog, a hacker can gain access to a KeepKey wallet and uncover the private keys. The flaw can be exploited only if there is a physical connection to the device, meaning the hacker must steal the wallet from the owner.

In case that happens, he will be able to gain access to the private keys by using a method called voltage glitching. The attack uses a combination of zapping the electronics of KeepKey, making the 9-digit pin to unlock the device. As the testers from Kraken mentioned, the attack will take no longer than 15 minutes, and any hacker can build a glitching device without investing a lot of money:

The attack takes advantage of inherent flaws within the microcontroller that is used in the KeepKey…This attack relies on voltage glitching to extract your encrypted seed, which can require specialized hardware and knowledge. We estimate that a consumer-friendly glitching device could be created for about $75.

Solutions to the problem?

Thankfully, this vulnerability happens only when there’s a physical connection to the wallet. Remote attempts are not possible. In addition, users of KeepKey wallets who want to rest assure even when someone steals their wallets can enable the BIP39 Passphrase. This is an additional security feature and unlike the private keys, it’s not stored on the device.

The vulnerability had been discovered in September and KeepKey had been notified. According to the wallet provider, its only task is to prevent remote access to the private keys and as long as users keep their wallets safe, no one will be able to access their tokens.

Although voltage glitching is only possible when a hacker steals the wallet and gains physical access to it, it’s interesting to find out that even when it comes to very secure devices, smart people can find vulnerabilities. We must also emphasize that our goal is not to discredit any hardware wallet provider, but to inform people that these vulnerabilities exist and, where possible, to provide solutions for them.