Kraken Security Labs just 15 minutes to hack both of trezor's crypto hardware

[Pmalek]

I wear my Trezor around my neck.

If I did that I would find my self checking constantly if it is still there, if it didn't get caught into something and fell off.


I assume an attack like this is not possible on a Ledger device. Seems that only Trezor users without passphrases have reasons to worry.
I would be interested in finding out how hard security experts have tried to break Ledger wallets as well.

[1714742631]

1714742631

[1714742631]

1714742631

[o_e_l_e_o]

While I will admit that it is a huge flaw in the design of the Trezor, this is not exactly a doomsday scenario that everyone seems to want to make it... Put on a "decent" passphrase (which isn't that difficult or annoying to use) and the entire thing essentially becomes a moot point anyway.

Well, it depends on your threat model, and how you use your Trezor. I use hardware wallets as a semi-cold wallet from my desktop computer, and they never leave my house or secure back up locations. I dont carry them around with me, and no one in real life other than my wife even knows they exists. So for me this attack is low risk, although I have still stopped using my Trezor and replaced it with another Ledger device.

But what about if you use your hardware wallet to secure a mobile wallet, for example? You carry it around constantly in your pocket or a bag, people see you using it, can maybe even track your addresses by watching you spend from it to a merchant's known address, and so on. Both the likelihood of being targeted and the possibility of this attack (or similar) both increase significantly.

Now, while passphrases are great, and everyone with a hardware wallet should be using them, the passphrase answer by Trezor is completely unsatisfactory. It does nothing to address the failure in their wallets. The majority of people don't use a passphrase, and the majority of those who do certainly aren't using a long and truly random one. They have done little to publicize this need to their users. Really, they should be releasing a patch which requires all users to set a passphrase of minimum x characters. If we assume someone has accessed your seed and the only thing protecting your coins is a passphrase, then what you have left is little better than a brain wallet.

I wear my Trezor around my neck. No one can get physical access to it, except when I'm in the shower for 20 to 30 minutes.

What if someone swapped it for another Trezor device? How long would it be before you plugged it in and realized it had been switched?

[Wind_FURY]

I wear my Trezor around my neck. No one can get physical access to it, except when I'm in the shower for 20 to 30 minutes.

What if someone swapped it for another Trezor device? How long would it be before you plugged it in and realized it had been switched?

Then I'm very confident that it would take the hacker a very long time to brute force my passphrase. I will surely find out that the device was switched well before he can guess it. It won't be close.

[DaveF]

It's a 15 minute attack, so if they know you have it they can probably get in and get it and get your seed (if your don't have a strong password) in less time then it takes to get dinner. Depending on who you ask a 8 character password is minutes.

-Dave

More. Plus preparation for the physical attack, it would take around 30 minutes or more, not including brute-force attack on the passphrase.

Which is still not a lot of time so 30 minutes to get and attack it and however long to get your PW. Unless its over 10 characters is still in the low hours with powerful enough HW.

Remember this is a somewhat targeted attack. I have to know beforehand that

1) You have / use BTC
and
2) You use a trezor

So yeah, if you never take it off except to shower that is one thing. If you are like most people and leave it someplace (even what you think is secure) for a little longer then you might become a victim. Unless you have a secure password.

-Dave

[o_e_l_e_o]

I will surely find out that the device was switched well before he can guess it.

Oh, I was speaking more in generalities rather than at you directly. Apologies for not being more clear. I was suggesting that I'm sure there are an awful lot of people out there who are more careless, and might not notice that their hardware wallet had been swapped or even notice if it was missing altogether for an extended period of time. A very clever attacker, after opening your device and extracting your seed, could even restore your seed to a brand new device and return that new device to wherever you are storing your Trezor. You (not you personally ) would be none the wiser.

Which is still not a lot of time so 30 minutes to get and attack it and however long to get your PW. Unless its over 10 characters is still in the low hours with powerful enough HW.

An attacker doesn't need to have physical access to your device to brute force the passphrase once they have extracted your seed, though.

[20kevin20]

I own a Ledger Nano S. Am I at risk too?

I've carried my Nano S in many places before knowing it could become physically exploited at any time.

Since I found out, I'm extra careful. I just thought I could carry it around and if I lose it - who cares? I got my seed, right? This is how it's been marketed around.

It looks like that's not the case. I haven't used a passphrase before on my Ledger due to the fear of forgetting it. Had a similar experience before and it sucks, I want to avoid a 2nd disaster.

I've read the article and, from what I understood, this passphrase is being combined with the seed, hence it is a completely different thing when compared to the PIN of the HW. Right? Passphrase is linked to the seed, PIN is linked to the HW.

If so, then I suppose the seed is extracted from the device by bruteforcing the PIN and then accessing the seed. Knowing the PIN is pretty short and numeric-only, AFAIK it's pretty easy to be bruteforced (although physical introduction of a false PIN 3x leads to the autoreset of a Ledger).

If that is the case and I'm not mistaken, wouldn't this problem be solved on both Trezor and Ledger by changing the HW PIN with an alphanumeric password? It would be pretty damn annoying to have to go through +35 characters by using just 2 physical buttons (speaking about Nano S), but I'd do it if that's what it takes to protect the theft of my seed.

[o_e_l_e_o]

I own a Ledger Nano S. Am I at risk too?

There is not an equivalent attack known about at present for Ledger devices. With enough time and money, any hardware wallet is potentially breakable though, for example by examining the secure element with an electron microscope.

I've read the article and, from what I understood, this passphrase is being combined with the seed, hence it is a completely different thing when compared to the PIN of the HW. Right? Passphrase is linked to the seed, PIN is linked to the HW.

Correct. PIN is only used to unlock your device. It is irrelevant to restoring your wallet from the seed phrase. If you set a passphrase, you will be unable to recover the wallets behind it without both seed phrase and passphrase.

If so, then I suppose the seed is extracted from the device by bruteforcing the PIN and then accessing the seed.

This attack does not involve bruteforcing the PIN, so any modifications to the PIN would be irrelevant.

[Wind_FURY]

It's a 15 minute attack, so if they know you have it they can probably get in and get it and get your seed (if your don't have a strong password) in less time then it takes to get dinner. Depending on who you ask a 8 character password is minutes.

-Dave

More. Plus preparation for the physical attack, it would take around 30 minutes or more, not including brute-force attack on the passphrase.

Which is still not a lot of time so 30 minutes to get and attack it and however long to get your PW. Unless its over 10 characters is still in the low hours with powerful enough HW.

Remember this is a somewhat targeted attack. I have to know beforehand that

1) You have / use BTC
and
2) You use a trezor

So yeah, if you never take it off except to shower that is one thing. If you are like most people and leave it someplace (even what you think is secure) for a little longer then you might become a victim. Unless you have a secure password.

-Dave

Then it's still not a practical attack. Plus there's an option for "the owner" to secure his Bitcoins with different passphrases, with each going to a different hidden wallet.

[PrimeNumber7]

Although, the "requiring physical access to the device" part makes this "attack" somewhat theoretical for most people...

Yes and no.
Where is your hardware wallet? Is it always attached to you? Or, is at home while you are at work?
Do you bring it with you on vacation or is it in a safe at home? etc.

It's a 15 minute attack, so if they know you have it they can probably get in and get it and get your seed (if your don't have a strong password) in less time then it takes to get dinner. Depending on who you ask a 8 character password is minutes.

-Dave

If you are not known to have a lot of coin, you will probably not be the subject of this kind of attack. If you have a trezor in a desk drawer, and your house is burglarized, the burglars will probably ignore your trezor if they come across it. If you keep your trezor in a safe, and the safe fairly well hidden (under a carpet or rug, or behind a picture), chances are an attacker will not be able to physically access your trezor.

I believe the 15 minute timeframe is also predicated on the trezor user using a 4 digit PIN. If a longer PIN is used, it will take longer to execute this attack.

This attack makes the attacker destroy the trezor, so if a passphrase is used, the trezor owner could discover the compromise, and move his coin via a backup, or an emergency pre-signed transaction that he broadcasts before the passphrase can be brute forced.

This attack does not require expensive equipment, but the equipment required to execute the attack is fairly specialized. An attacker would need to have specialized technical skills to execute this attack. These technical skills are very valuable in the job market, and attacker would need to risk his ability to leverage these skills in the job market to even try to pull off this kind of attack.

Unfortunately, it is very difficult to protect information that is frequently accessed from attacks involving physical access to a device. 

[o_e_l_e_o]

I believe the 15 minute timeframe is also predicated on the trezor user using a 4 digit PIN. If a longer PIN is used, it will take longer to execute this attack.

The Ledger report states that even a 9 digit PIN was brute forcible within a few minutes.

This attack makes the attacker destroy the trezor, so if a passphrase is used, the trezor owner could discover the compromise

This is true, but there are plenty of people who store a secondary hardware device off-site as a backup, and might only check on it once a week, once a month, or even less frequently. If an attacker was to access one of those, they could potentially have several months to try brute forcing a passphrase (assuming they have used one).

[malevolent]

For a passphrase to be as secure as a 24 word seed phrase, which is the security level you have to reach if you want your wallet to be as secure as if this attack didn't exist, then it needs to be 37 random characters. Given that only a minority of users even use a passphrase, and of those who do, a very small minority of them will use a passphrase of 37 random characters, Trezor's response to this attack is wholly unsatisfactory. Since most passphrases in use are probably human generated, then like passwords, they will be short, not random, and bruteforcible.

5 randomly chosen words from a very thick dictionary should be more than enough. (almost 91 bits of entropy if it's a dictionary with 300k entries)

[PrimeNumber7]

I believe the 15 minute timeframe is also predicated on the trezor user using a 4 digit PIN. If a longer PIN is used, it will take longer to execute this attack.

The Ledger report states that even a 9 digit PIN was brute forcible within a few minutes.

Which report are you referring to? There was a disclosure in March 2019 by ledger that confirmed that a side channel attack allowing an attacker to discover the PIN was patched. I also don't see anything about a 9 digit PIN in that disclosure.

This attack makes the attacker destroy the trezor, so if a passphrase is used, the trezor owner could discover the compromise

This is true, but there are plenty of people who store a secondary hardware device off-site as a backup, and might only check on it once a week, once a month, or even less frequently. If an attacker was to access one of those, they could potentially have several months to try brute forcing a passphrase (assuming they have used one).

This is true for any off-site backup. Using a trezor is still going to be more secure than using a paper wallet, or an encrypted file on a hard drive or USB stick because specialized equipment and technical skills are necessary to perform this kind of attack. These technical skills are worth north of 6 figures on the job market per year, and the ability of an attacker to get hired and utilize these skills would be diminished if caught breaking and entering somewhere to steal a trezor.

Unlike an encrypted file, the end user can use multiple passphrases, and can use an easier to crack passphrase with a smaller amount of coin. This would mean an attacker would need to find the coin, and decide if he wants to continue expanding resources to gain access to additional coin that may or may not exist. The attacker would also need to decide if he wants to spend the coin he find immediately, possibly tipping off the victim that his trezor has been compromised, or wait to try to find another passphrase with more coin, and risk the victim will discover the compromise and move his coin. 

[o_e_l_e_o]

5 randomly chosen words from a very thick dictionary should be more than enough. (almost 91 bits of entropy if it's a dictionary with 300k entries)

Probably, but the point I was making was that if this attack is successful, then you are entirely relying on your passphrase to protect your coins. 91 bits of entropy, although probably enough, is a tiny amount when compared to the usual 256 bits of entropy of a seed. If you want your passphrase to be as secure as your seed, then it needs to be impractically long and random.

Which report are you referring to?

I was meaning this one: https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/. Specifically:

Works on all firmware versions - On encrypted firmware (Keepkey & Trezor >= 1., the PIN must be bruteforced. It can take a few more minutes (on a fast computer) for a long PIN (9 digits)

[DaveF]

Looking back through this thread and the other discussions about the vulnerability of some of the wallets there seem to be 3 things that keep coming around.

1) It's not that bad because of "xxx" reason. xxx can be needs access to the hardware, needs specialized equipment, needs an unreasonable amount of time.

2) It can be mitigated because of "yyy" reason. yyy can be long pin, long passphrase, there is no way to get to my device.

3) It can't happen to me because of "zzz" reason. zzz is my device never is unattended, my device is in a ultra secure location, etc.


The problem is this:
You could be holding a significant amount of money on one of these devices and they claim they are secure.
Then they make all these * notes about things you have to do to make it secure. Long pins, long passphrases, etc.

Which is great for us here reading these threads.

But, what about Bob? Alice told him to get a hardware wallet to keep things secure and he did. And he followed the setup instructions that did not mention the stupid long passphrase and 12 digit pin. And he even keeps it updated and occasionally reads the read me file with the new firmware.

But it's still not being being posted on the hardware makers site in 40 point red font telling people about it.

I even told my favorite hardware wallet maker they should do this (and they failed).

So, yeah it's an issue now and going to continue to be one.

-Dave

small edit of a line because what I had in my brain did not make it properly to my keyboard.

[o_e_l_e_o]

-snip-

Couldn't agree more.

The whole point of hardware wallets are that they are marketed as a simple and easy way to store your keys. They are often recommended to newbies on that exact premise. They are inferior to proper airgapped wallets, but much easier to set up and use. As soon as you start adding all these xxx, yyy, zzz caveats, they become less simple therefore less safe. Not only that, but Trezor make no mention of this attack whatsoever on their "Getting started" or "Basic features" manual/support page. Passphrases are mentioned exactly once on these pages here - https://wiki.trezor.io/User_manual:Setting_up_the_Trezor_device - where all they say is Trezor Manager can be used to set up a passphrase. You have to delve pretty deep in to the "Advanced settings" before they start recommending that you should use a passphrase, but still make absolutely no mention of this attack.

They can't just sweep an attack which has the potential for users to lose all the coins they own under the rug like this. Whenever this attack is discussed publicly their response is "It's not an issue because everyone should be using a long and random passphrase", but at no point in their set-up guide do they even mention passphrases exist, let alone that all users should be using one or risky losing everything.

There should be a big warning on their website and on their set-up guide stating "Yes, this attack exists, all future models will have different hardware to mitigate it, and all current users should be using passphrases".

[malevolent]

Well, they could certainly do more to inform their users about this, especially considering how much money some people are storing on their hardware wallets. When I first got my Trezor several years ago I had also been under an impression that a pin-protected Trezor is secure against all attacks, over the years it seems the narrative has changed.

[DaveF]

Well, they could certainly do more to inform their users about this, especially considering how much money some people are storing on their hardware wallets. When I first got my Trezor several years ago I had also been under an impression that a pin-protected Trezor is secure against all attacks, over the years it seems the narrative has changed.

How about ANYTHING to inform their users.
E-mail to known owners.
Notifications on the home page.
Popups on the access pages.
Having a sticky thread here.

Something obvious, not what they do now which is make people dig for it.

-Dave
Note: This is most wallet makers not just Trezor

[PrimeNumber7]

But, what about Bob? Alice told him to get a hardware wallet to keep things secure and he did. And he followed the setup instructions that did not mention the stupid long passphrase and 12 digit pin. And he even keeps it updated and occasionally reads the read me file with the new firmware.

I don't think trezor is responsible for what other people tell their users.

To be fair to trezor, they do have a security page that discloses past security issues. Although this one does not appear on that page.

There was this statement that trezor published in their FAQ in 2016:

If somebody steals my Trezor, they’ll just empty out my wallet before I have the chance to restore anyway. Right?
Not at all. All operations on TREZOR require the user to enter a PIN. The attacker would have to guess your PIN which is very difficult because with each badly entered PIN the time for entering it anew increases exponentially. For example, the delay between 19th and 20th PIN entering is 35 hours. Unplugging and plugging the device won’t help. The thief would have to sit his life off entering the PINs. Meanwhile, you have enough time to move your funds into a new device or wallet from the paper backup.

You can also hide your wallet behind passphrase which can be set on top of the PIN. Read more about the multi-passphrase encyption (hidden wallets).

I think this answer is still technically true, but may be misleading in light of the disclosure referenced in the OP. There are other answers in trezor's FAQ page that imply that coin is safe if an attacker steals a person's trezor.

I believe the lack of notifications by trezor has to do with the common threat models of trezor customers, described in trezor's response to the disclosure in the OP. Trezor referenced a binance security survey conducted in 2018 that says only about 6% of crypto users are concerned with 'physical attacks'.

At the end of the day, the security of my coin is my responsibility. If representations were made to me that were correct based on the person's knowledge at the time, I don't think I would have a valid basis to complain if a new technique or new technology later made that representation to be untrue. 

My assumption is if a trezor is vulnerable to a specific attack, every other HW wallet is vulnerable to a similar attack, even if they have not been publicized.

Out of all possible alternatives, I would still consider a HW wallet to be superior to all other mediums to store private keys. 

[DaveF]

...snip...

My assumption is if a trezor is vulnerable to a specific attack, every other HW wallet is vulnerable to a similar attack, even if they have not been publicized.

Some possibly, some possibly not.
The issue is for me and for other people I have spoken with is that this OP issue still exists and they have done nothing about it (nor can they) but they still don't have the warnings front and center on their website / in the instructions.

-Dave

[PrimeNumber7]

...snip...

My assumption is if a trezor is vulnerable to a specific attack, every other HW wallet is vulnerable to a similar attack, even if they have not been publicized.

Some possibly, some possibly not.
The issue is for me and for other people I have spoken with is that this OP issue still exists and they have done nothing about it (nor can they) but they still don't have the warnings front and center on their website / in the instructions.

-Dave

Their response says they believe only about 6% of crypto users are concerned with physical attacks. This might not be enough of their user base to put such a prominent display on their website.