It took the specialist three months to find the right method to hack the hardware wallet.
The owner of the wallet forgot the private keys and was at risk of losing the millionaire sum.
A computer engineer managed to hack a hardware wallet from the firm Trezor and recover around 2 million US dollars (USD) in cryptocurrencies, more precisely in Theta (THETA). For that, it took 12 weeks, in a process that, in the end, was satisfactory.
The specialist, Joe Grand, was in charge of breaching the security of the device, a Trezor One. For him, the process was a real roller coaster, in which he invested at least three months of experimentation, failures, successes “and heart-stopping moments”.
“It reminded me that hacking is always unpredictable, exciting, and educational, no matter how long you’ve been doing it. In this case, the stakes were higher than normal – you only had one chance to get it right,” Grand said in a statement. shared video on YouTube, where he told the experience and the process.
At first, he noted, it was “like disabling an alarm system in a museum and stealing the jewelry,” except someone “made an exact copy of the jewelry, put it behind a locked door, and then I walked in.” I kicked in the door and stole the jewelry, but the originals were still there.”
According to Joe Grand, over time there have been ways to break the security of a hardware wallet. So when he was contacted by Dan, the owner of the device, he took on the task of recovering the funds.
According to Dan, who traveled to Portland, USA, to save his money, the problem started by a friend of his, who forgot the private keys. The risk of losing their funds was great, since Trezor devices have a security mechanism that deletes the content if the wrong password is repeatedly entered.
Trial and error
Grand, who promised from day one to recover the money on Dan’s device, told in the audiovisual that the process to end up violating the wallet was trial and error, in a “long story of three months of effort”, where He tried different techniques, until he got it.
He indicated that, to achieve the hack, had to use a lot of different hardware wallets. He discovered that, in the case of Trezor wallets, they have a security function within the device’s microcontroller that prevents reading the contents of memory.
Therefore, he found a way to defeat the security of the device, something that can only be done with the wallet turned on and connected. In detail, he looked up the source code for the device, “because at some point in that recovery process I discovered that the PIN and seed had to be moved to an area that I could access through my debug interface.”
“That was exactly where I made the attack: the memory copy function. Turns out I found an area in the source code where secret information is copied into RAM. When a bug is run to defeat the security of the chip, the contents are there and can be extracted,” he explained.
To defeat security and access RAM, he said he would apply a method called “fault injection”, where basically errors are caused in the silicon chip inside the device.
To do this, it would use a tool called Chip Whisperer, with which the fault injection attack, or voltage fault, as it is also known, would be executed. The intention was clear: make the chip misbehave at just the right time to defeat the wallet’s security “and then continue our hacking.”
The way we know we’ve successfully beaten security is that the chip will enable what’s called a debug mode. In a debug mode, it uses an external piece of hardware. This allows you to read memory and do general debugging of a microcontroller. And in the case of the Trezor, if we beat the security feature, it will go into debug mode and only allow us to access a particular area of memory, which is RAM. There, the recovery seed and pin are copied. We also need to modify the Trezor device to allow us to interface with the rest of our hardware. All the pieces are tied together with a custom circuit board, and if everything works correctly, then we win.
Joe Grand, professional hacker.
Starting the hack
Once Joe Grand explained the process to be carried out, he began the procedure. He carefully opened the wallet, made the necessary connections, and then began the attack.
Overcoming Trezor’s security was no easy task, however, and after several hours of waiting, was finally able to compromise a hardware wallet, ironically, one of the safest ways to hoard cryptocurrencies.
In total, it took 3 hours and 19 minutes for the fault injection to cause the wallet’s silicon chip to throw the necessary errors to access debug mode, which gives access to RAM and, finally, to the information necessary to recover the USD 2 million lost.
“This project was a perfect example that hardware wallet hacking is trial and error. Once we finished this final attack, where we were able to extract the seed of a protected microcontroller, something that Trezor handles really well, we realized that all the security vulnerabilities that people have reported can be found, “said the professional hacker .
This type of attack had already been warned
Joe Grand’s feat of recovering $2 million by hacking a hardware wallet is noteworthy. But nevertheless, this type of attacks and violations had been reported in the past.
As CriptoNoticias reported in January 2020, an investigation by the Kraken Security Labs team found that Trezor’s cold wallets are vulnerable (like those of its competition, KeepKey and Ledger). According to the report, an attacker can mine the seeds by only having physical access to the wallet for as little as 15 minutes.
In detail, it was learned that hackers employ glitch or voltage injection (as Grand did), by which they extract the encrypted seed. This attack, as described, supposes manipulation of hardware variables to cause temporary problems on devices that store sensitive data.
According to Kraken Security Labs, this procedure exploits flaws within the microcontroller used in wallets.
“Unfortunately, this means that it is difficult for the Trezor team to do anything about this vulnerability without a hardware redesign,” the researchers explained at the time.
The curious thing is that the three manufacturers of hardware wallets were questioned that same year, when a discovery called into question the reputation of those devices. The companies apparently knew about a vulnerability in the design of their wallets that allowed the theft of bitcoins, a fact that we also reported in this newspaper.