In a demonstration entitled "Wallet.fail", a team of security researchers hacked Trezor One, Ledger Blue and Ledger Nano S. Unfortunately, it seems that their results have been put on display at the 35th Chaos Communication Congress (35C3) at Leipzig, Germany, rather than through responsible disclosure practices, which would allow manufacturers to patch vulnerabilities and protect their customers from any potential attack. Fortunately, vulnerabilities seem to be very difficult to exploit for attackers.
The team of experts included security researchers Dmitry Nedospasov, Josh Datko and the Thomas Roth systems engineer. Among the vulnerabilities revealed in the presentation were many that could have been resolved with a firmware update on the relevant hardware portfolios.
SatoshiLabs, the Trezor wallet manufacturers, through its Chief Technology Officer Pavol Rusnak, he insisted that the company he had not been informed of the vulnerabilities demonstrated during the event, adding then that there is a "Responsible Disclosure Program" that the researchers could follow to give them an opinion on the loopholes.
"As for the discoveries of # 35c3 on @Trezor: we were not informed through our responsible disclosure program, so we learned them from the stage, we need a little time to fix them and we will address them through a firmware update at the end of January. "
Ledger made the same exception, arguing in a blog post that he had been put aside by the researchers, who could have notified them through disclosure, which they said would give the company the time it takes "for the patched vulnerability and for mitigate risks to users. "
As for the vulnerabilities, it seems that they can not (yet) be exploited remotely; many of these require the intruder to have physical access to the devices in question and sometimes even access the owner's computer.
At the presentation, security experts claimed to have shown a Trezor One hardware portfolio, which allowed them to extract the mnemonic semen (and PIN) from RAM, adding that the vulnerability can only be exploited against users who do not do so. a passphrase.
The team also claimed to have installed their firmware on Ledger Nano S, allowing them to manipulate the portfolio by signing transactions remotely. To do this, the intruder should physically log in to Nano S and hack into the victim's PC, where malware is installed to steal the PIN once the victim loads Ledger's Bitcoin app.
Ledger argues that because this scenario requires an intruder to have physical access to the device, access to the victim's computer and the patience to wait for the victim to enter his PIN and launch the Bitcoin app on the PC, this type of attack is unlikely to be a practical threat.
Security researchers also demonstrated a side-channel proof-of-concept attack on Ledger's most expensive hardware portfolios, Ledger Blue. According to the team, Ledger Blue loses signals sent to its touchscreen as radio waves, making them vulnerable. This is due to the animation of the PIN keypad. The researchers say the signal could become louder when a USB cable is connected to the device, allowing them to sniff the PIN of Ledger Blue remotely.