"ShapeShift recommends that you secure your device with the same caution you would with other investments or valuables. Protect your KeepKey like it could be stolen tomorrow."
The other new findings from Donjon focus on the Coldcard Mk2 wallet. The attack would be difficult for a hacker to carry out, because Coldcard uses special secure memory that blocks the type of side-channel attack the researchers launched against the KeepKey wallet and strictly limits PIN guessing. Coldcard manufacturer Coinkite outsources the chip from the microcontroller company Microchip. But the researchers still found that they could use what's called a "fault injection attack"—a hack that causes a strategic glitch triggering unintended, exploitable computer behaviour—to force the chip into an insecure debugging mode. In this state, the chip's PIN guess limit isn't in effect, meaning an attacker could "brute force" the PIN by trying every possible combination until the wallet unlocks.
To trigger the special glitch, the researchers used an impressively outlandish attack, though one that is not inconceivable for a motivated and well-funded adversary. The fault injection comes from carefully opening the physical case of the Coldcard wallet, exposing the secure chip, physically grinding down its silicon without damaging it, and shining a high-powered, targeted laser on the chip in exactly the right location with precise timing. Laser fault injection rigs cost roughly $200,000 and require special skills to operate. They are typically used for security and performance testing in smart cards, like those in your credit card or passport.
"It's an amazing report, and very exciting to see the extreme level of resources put into research of our products," Coinkite said in a statement about the research. "First things first, none of their research affects the security of the Mk3 Coldcard, which is the product we are selling today (and for the last year). Fundamental changes were made between mark 2 and 3."
Microchip has marked the status of the secure element used in the Coldcard Mk2 as "Not Recommended for new designs." The Donjon researchers point out, though, that the vulnerable chip was incorporated in embedded devices beyond cryptocurrency wallets.
A lot of time and effort went into producing this research. Given that Ledger is a competitor of KeepKey and Coldcard, the potential conflict of interest in the work is obvious. And the Donjon team has a history of finding and disclosing vulnerabilities in wallets from its prominent rivals. But the researchers say that they spend the vast majority of their time attacking Ledger wallets, and that when they find notable vulnerabilities in their own product they patch them and then post detailed analyses of the bugs. The group has also open-sourced two of its side-channel analysis, measurement, and fault injection tools for other researchers to use.
The Donjon researchers emphasise that the most important thing you can do to secure your hardware wallet is to keep it physically safe. If you're storing a few thousand dollars-worth of cryptocurrency, you likely won't have elite criminal hackers or nation-backed spies breaking into your house to shuttle your wallet to their state-of-the-art laser lab. But it's worth keeping in mind that even when you intentionally prioritise security by opting for something like a hardware wallet, it can still have weaknesses.
If you are new to the Cryptocurrency world and would like to open an account we recommend Cex.io.