Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

Cryptocurrency hardware wallets are not full-proof

Written by  May 18, 2020

"The fact is that there’s no way to prevent a highly sophisticated attacker with physical possession of the device, and lots of time, technology, and resources, from completely 'pwning' that device—eventually."

ShapeShift said in a June 2019 statement in response to different DonJon findings.

"ShapeShift recommends that you secure your device with the same caution you would with other investments or valuables. Protect your KeepKey like it could be stolen tomorrow."

The other new findings from Donjon focus on the Coldcard Mk2 wallet. The attack would be difficult for a hacker to carry out, because Coldcard uses special secure memory that blocks the type of side-channel attack the researchers launched against the KeepKey wallet and strictly limits PIN guessing. Coldcard manufacturer Coinkite outsources the chip from the microcontroller company Microchip. But the researchers still found that they could use what's called a "fault injection attack"—a hack that causes a strategic glitch triggering unintended, exploitable computer behaviour—to force the chip into an insecure debugging mode. In this state, the chip's PIN guess limit isn't in effect, meaning an attacker could "brute force" the PIN by trying every possible combination until the wallet unlocks.

Also see: Fake crypto-wallet extensions are in Chrome Web Store again, stealing credentials

To trigger the special glitch, the researchers used an impressively outlandish attack, though one that is not inconceivable for a motivated and well-funded adversary. The fault injection comes from carefully opening the physical case of the Coldcard wallet, exposing the secure chip, physically grinding down its silicon without damaging it, and shining a high-powered, targeted laser on the chip in exactly the right location with precise timing. Laser fault injection rigs cost roughly $200,000 and require special skills to operate. They are typically used for security and performance testing in smart cards, like those in your credit card or passport.

"It's an amazing report, and very exciting to see the extreme level of resources put into research of our products," Coinkite said in a statement about the research. "First things first, none of their research affects the security of the Mk3 Coldcard, which is the product we are selling today (and for the last year). Fundamental changes were made between mark 2 and 3."

Microchip has marked the status of the secure element used in the Coldcard Mk2 as "Not Recommended for new designs." The Donjon researchers point out, though, that the vulnerable chip was incorporated in embedded devices beyond cryptocurrency wallets.

Advertisement

A lot of time and effort went into producing this research. Given that Ledger is a competitor of KeepKey and Coldcard, the potential conflict of interest in the work is obvious. And the Donjon team has a history of finding and disclosing vulnerabilities in wallets from its prominent rivals. But the researchers say that they spend the vast majority of their time attacking Ledger wallets, and that when they find notable vulnerabilities in their own product they patch them and then post detailed analyses of the bugs. The group has also open-sourced two of its side-channel analysis, measurement, and fault injection tools for other researchers to use.

The Donjon researchers emphasise that the most important thing you can do to secure your hardware wallet is to keep it physically safe. If you're storing a few thousand dollars-worth of cryptocurrency, you likely won't have elite criminal hackers or nation-backed spies breaking into your house to shuttle your wallet to their state-of-the-art laser lab. But it's worth keeping in mind that even when you intentionally prioritise security by opting for something like a hardware wallet, it can still have weaknesses.

If you are new to the Cryptocurrency world and would like to open an account we recommend Cex.io.

Do you find this article useful? Comment below or follow us on Facebook or Twitter.

Paul Saunders

Crypto tech journalist, Paul specialises in Crypto news having worked and traded in the field for over 5 years and has previous Blockchain admin roles to his credit. His knowledge and experience in Crypto tech is very important to us and his contribution is invaluable.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Follow Us

Advertisement

Popular in Security

May 10, 2020

Big dip in Bitcoin, thankfully

As mentioned in my previous diary entries the price was artificially high.

Jun 08, 2020

Tron CEO is to make an exciting announcement today, but what is it?

The CEO/founder of the Tron project, Justin Sun took to Twitter at the end of last month to announce that there will be ...

May 14, 2020

Binance 2020 Comprehensive Review

Even if you don't know much about Cryptocurrency trading, there’s a good chance that you’ve heard of Binance. ...

May 12, 2020

The Bitcoin halving what happened: Nothing much

What a disappointment that was.

May 06, 2020

Beginners Guide To Cryptocurrency

Cryptocurrency has been around since 2009 and has grown in popularity ever since. But if you’re a beginner in the cryp...

May 12, 2020

Kraken crypto exchange review: Including Crypto 101 by Jesse Powell

Kraken is one of the most respected and recognised crypto-exchange platforms in the crytpo marketplace. ...

May 08, 2020

The miracle of Blockchain

What is a blockchain? and what makes it safe and helpful in managing cryptocurrencies?

May 08, 2020

Monero: Private cryptocurrency of the future

Monero is a cryptocurrency for those who value their financial privacy; besides being private it is also decentralised a...

May 24, 2020

Bitcoin is losing ground this weekend

What was expected to be a good weekend for Cryptos and in this case Bitcoin hasn't turned out that way. ...

Jan 06, 2020

About Us

Peter Flynn   We are a team a small team providing Cryptocurrency news, help and advice we have a passion for learn...

Mar 16, 2020

What is Tron (TRX)?

Tron is a blockchain-based technology that struggles to build a digital content environment using a peer to peer decentr...

Jun 15, 2020

Bitcoin price is recovering well

Bitcoin price closed its weekly candle at roughly $9,325 and dipped to £8900 very briefly.

Jun 10, 2020

Bitcoin $10000 mark is getting very close

Bitcoin has been steadily rising for days now and is certainly holding its own.

May 08, 2020

Crypto Wallet options

A cryptocurrency wallet is actually a program that stores private and public keys and it links to the blockchain in orde...

Jan 24, 2020

What is Bitcoin?

Bitcoin is a cryptocurrency created back in 2009. Marketplaces called “bitcoin exchanges” allow people to buy or sel...

May 22, 2020

Can I create my own cryptocurrency? Yes

If you want to create your own cryptocurrency but you don’t have much experience in coding, you might be wondering if ...