The security department of Kraken, a digital currency exchange based in San Francisco, has discovered a critical flaw in two wallets produced by industry leader, Trezor, according to a recent blog post. Kraken Security Labs said the flaw could enable hackers to extract encrypted seeds from cryptocurrency hardware wallets, Trezor One, and Trezor Model T within a few minutes if they have physical access to the devices.
According to Kraken, they were able to extract the encrypted seed on both wallets within 15 minutes of physical access to the device by deploying an attack that relies on voltage glitching. The attack was successful because the flaws are inherent to the microcontroller used in both Trezor wallets; hence, the Trezor team will not be able to solve this vulnerability unless they redesign the hardware.
With access to the encrypted seeds, the Kraken Security Labs said they were able to crack the seed easily. Despite the fact that it is usually protected by a 1-9 digit PIN, however, the PIN is trivial to a brute force, which means hackers can get in quickly.
"This initial research required some know-how and several hundred dollars of equipment, but we estimate that we (or criminals) could mass-produce a consumer-friendly glitching device that could be sold for about $75," the exchange noted.
Apparently, Kraken's report on the new development is not meant to be a threat to Trezor's wallet or users; however, the intentions call for safety, as they also noted ways to avoid such an attack. At first, the exchange advised users not to grant anyone physical access to their Trezor wallet because it could result from losing their crypto funds permanently.
Secondly, enabling the BIP39 Passphrase feature on the Trezor wallet is considered as the best way to prevent the attack. According to Kraken, a passphrase is a protection that prevents this attack, since it is not stored on the device.