There Are Vulnerabilities In Trezor And Ledger Hardware Wallets
A team of researchers from the project Wallet.fail managed to hack the Trezor One, Ledger Nano S and Ledger Blue cryptocurrency hardware wallets, using a vulnerability in the firmware of devices. The results of the experiment are published on the website Media.ccc.
During the 35C3 Refreshing Memories conference, members of the research team Dmitry Nedospasov, Thomas Roth and Josh Datko were able to access the private key from the cryptowallets by flashing devices, however, they said, this vulnerability activated if the user did not install the seed phrase.
Wallet.fail representatives managed to install the Snake game on the Ledger Nano S hardware wallet as a demonstration of the device’s low security level. One of the researchers said that they can confirm the execution of transactions and even display a non-existent money transfer on the device screen. In Ledger Blue, the most expensive hardware wallet from Ledger, the motherboard transmits signals to the display too slowly. When the device is connected to the computer via a USB, the radio waves become more powerful and may be intercepted at a distance of several meters.
Using software based on artificial intelligence technology, researchers intercepted motherboard radio signals, which contained information about the PIN of the device. When the Wallet.fail team was asked what they thought about the BitFi cryptographic network, they replied that they were ready to talk only about more or less secure devices, and not about Chinese fakes. BitFi appeared in the media headlines in the summer of 2018, when the wallet began to advertise the cryptocurrency crusader John McAfee, claiming that the device could not be hacked. Despite loud statements, BitFi was successfully hacked a few days later.
Companies Ledger and Trezor have not yet commented on the news about the discovery of vulnerabilities in their devices. However, the CTO of SatoshiLabs (owner of Trezor) Pavol Rusnák said that the company's specialists will analyze the results of hacking wallets and update the software by the end of January.