Cryptosecurity firm finds a vector to hack a Trezor T wallet

Unciphered, a cryptosecurity firm that is dedicated to recovering lost or stolen cryptocurrency, claims to have discovered a way to access the Trezor T hardware wallet. This type of hack is only possible with physical access to the device and is disclosed in the midst of a controversy surrounding the security of Bitcoin hardware wallets.

According to the company, the method is based on taking advantage of a vulnerability in the STM32 chip, present in the One and T models, which allows obtaining the integrated flash and the data on a single write (OTP). Unciphered ensures that the vulnerability cannot be patched at the chip level, according to statements that the company offered to the Coindesk media outlet.

This would be the first time that information about a hack to a Trezor model T has been disclosed. However, it would not be the first hack of this type to a hardware wallet from the Trezor company, since in January a video was released where USD 2 was recovered million of a One model, as reported by CriptoNoticias. “That video shows a hack of a Trezor One with old firmware, our hack is for a Trezor T with the latest firmware”, indicates the cryptosecurity company in a tweet.

According to Coindesk’s account, Unciphered made a video about different faces of hacking run on a Trezor T that the media outlet provided for that purpose. There they demonstrated that they resurfaced the initial phrase and the PIN of the device. The cryptosecurity firm would have hacked EthereumWallet in the past and they state on their home page that they could hack any wallet on the market.

For his part, Trezor told the outlet that they do not have enough information from Unciphered to understand what method they used. However, they presume that it could be an “RDP downgrade attack”. As Trezor reported on its blog in 2020, a “read protection downgrade,” or RDP, attack requires the physical theft of a device to execute, extremely sophisticated technological knowledge, and advanced equipment.

Unciphered also ensures that they are not in a position to affirm or deny whether the Trezor T hack was done via an RDP downgrade attack, citing “current commitments and non-disclosure agreements” on how to exploit this vulnerability.

“In addition, any technical disclosure would put Satoshilabs customers at potential risk until mitigations such as a new chip other than the STM32 in current use are used,” according to statements by Unciphered.

Who are responsible

Unciphered criticized that Trezor has not done anything, beyond reporting the vulnerability of the STM32 chip in 2020. “The fact is that through this article they are trying to put the responsibility of protecting their device on the client instead of assuming the responsibility responsibility to admit that your device is fundamentally insecure,” Unciphered told CoinDesk.

“Contrary to Unciphered’s claims, Trezor has already taken significant steps to resolve this with the development of the world’s first transparent and auditable secure element through sister company Tropic Square,” Trezor said.

Controversies around hardware wallets

This fact coincides with the controversy sparked by a controversial Ledger update. As CriptoNoticias reported, the bitcoiner community criticized a new feature that allows Ledger users to save their recovery seed in the cloud. As a consequence, Ledger decided to delay the release of the feature called Recover.