June 06, 2023 - 5 min read
Are your digital assets really safe in cold storage, or can attackers still find ways to pilfer your crypto?
Hardware wallets, which allow users to record and store their private keys offline protect digital assets, are generally considered to be secure compared with trusting your assets to a custodian. In such cases, the custodian holds the crypto, secured by a private key unavailable to the individuals using that custodian.
One such hardware device is called Trezor, which was developed by SatoshiLabs. It was one of the first hardware wallets developed for Bitcoin, but it has also supported other assets for quite a while now. The goal of a hardware wallet like Trezor is to protect your digital assets from online-based threats like trojan horse viruses and keyloggers. Instead, transactions are partly-signed on the device, keeping the private keys offline except in case a lost device forces you to recover your wallet.
For another layer of security, Trezor devices are also equipped with display screens which show the details of transactions for manual verification before signing in. Trezor wallets are protected with a PIN code that you type in manually each time the device is plugged in, and can be recovered using a recovery seed phrase if the device is lost or worse, pilfered in some fashion or another. Hidden wallets can also be utilized on Trezor devices for another layer of protection against theft.
All that being said, many wonder whether or not these devices are really safe or can they be hacked? Let’s explore a few known scenarios that could result in your Trezor device being hacked or compromised in some way. Hopefully this primer will inspire you to consider your own operational security in a new light, but this is not to be considered financial advice in any way.
Thus far, there have been no reported instances of private keys being stolen without direct access to physical devices by the hackers. That said, no solution is entirely immune to security risks, and some vulnerabilities have been reported over the past several years.
One such example is called a supply chain attack in which someone gains physical access to the device before the user– and thus compromises the device somewhere along the supply chain before the secret keys are generated. An unsuspecting user wouldn’t know that the attacker pre-generated the keys and is waiting for the right moment to drain the target’s wallet. To avoid this, it’s recommended to purchase devices directly from the company’s website or from authorized dealers.
Phishing attacks are another risk that affects nearly everyone using the internet these days, which includes our hardware wallets. If it hasn’t happened to you already, phishing attacks attempt to trick users into providing their phone numbers, passwords, recovery seed phrases, PINs, or other sensitive information. This could allow the attackers to exploit 2FA protocols to access your accounts and potentially steal your digital assets.
Remember that the security of any hardware wallet depends on the user being responsible. To maximize security, it is important to keep the device’s firmware up-to-date, securely store your recovery seed phrase, use 2FA, and so on. To take custody of one’s assets is a great responsibility and should be respected as such.
Cybersecurity startup Unciphered was originally created to provide services for recovering digital assets from locked hardware wallets. Since then, they’ve expanded to providing recovery services for software wallets as well. The company claimed recently that it was able to hack into the widely used Trezor T hardware wallet.
During a YouTube demonstration, Unciphered extracted a Trezor Model T’s mnemonic seed phrase which relies on physical possession of the device. In the video, the Unciphered team demonstrated a method they developed to reliably crack into the physical hardware.
First they soldered the motherboard of the device and connected it to “The Beast” to extract the encrypted data before leveraging ten specialized GPU chips to flash extract both the PIN code and seed phrase. While this is really difficult to accomplish, the problem is unfixable without a physical recall of all their products.
However, Trezor has already acknowledged that the recent hacking demonstration had similarities with the Read Protection Downgrade (RDP) vulnerability that affected both the Trezor One and Trezor Model T, and communicated to users on the company’s blog back in 2020. One is led to believe that a recall will not be happening anytime soon without any major incidents to act as a catalyst for Satoshi Labs to do so.
Finally, the question is whether or not the public sees this kind of exploit as a real threat or a threat too small to consider meaningful. As the industry matures and with so many options for hardware wallets out there, a significant change in market share will be the telltale sign to watch. So, will you take more time to research the hackability of your own wallet? If you own a Trezor, will you be upgrading to something new?
Sign up for the Supra newsletter for company news, industry insights, and more. You’ll also be the first to know when we come out of stealth mode.