Hardware Wallet Flaw Lets Attackers Hold Crypto for Ransom Without Touching Device

A recently disclosed vulnerability in two popular hardware wallets would have allowed attackers to hold users’ cryptocurrency for ransom without going anywhere near the device.

• ShiftCrypto, the Swiss company that manufacturers the BitBox hardware wallet, has disclosed a potential man-in-the middle ransom attack vector on the rival Trezor and KeepKey hardware wallets.
• A ShiftCrypto developer known as Marko discovered the vulnerability in the spring of 2020, and notified the Trezor and KeepKey teams respectively in April and May. A Trezor representative confirmed to CoinDesk that the attack "is only theoretical and has never been performed in practice."
• ShiftCrypto did not suggest the attack had been carried out, only that an attack was possible.
• Trezor has patched the vulnerability for its Model One and Model T hardware wallets. KeepKey (which is a fork, or copy, of Trezor and so runs near-identical code) has not made a fix, according to the ShiftCrypto team, who said the manufacturer cited “higher priority items” as the reason. CoinDesk reached out KeepKey to ask the team why they deemed the attack vector low priority but did not receive a response by press time.
• The hypothetical attack involves an optional passphrase that Trezor and KeepKey users can set to unlock their device in lieu of the usual PIN code. Both hardware wallets require a USB connection with a computer or mobile device to manage accounts. When plugging the hardware wallet into the other device, a user would type the passphrase into the latter to access the former.
• The problem is that neither Trezor nor KeepKey would verify the passphrase users entered. Verification would require displaying the passphrase on the wallet’s screen so the user could ensure it matched what they typed on the computer.
• Without this safeguard in place, a man-in-the-middle attacker could have modified the information relayed between Trezor or KeepKey and their users by importing a new passphrase into the wallet. The user would be none the wiser, since he or she couldn’t check that the passphrase on the device matched the one on the computer screen.
• Upon inputting the old passphrase, the user would open the hardware wallet’s interface on the computer as usual. Each address generated, however, would be under the control of the new passphrase set by the hacker, so the hardware wallet user would be unable to spend funds locked in these addresses.
• The attacker, however, would not have access to these addresses because they are still derived from the wallet’s seed phrase, so they can only be held for ransom. Thus, even if the hacker had access to the real passphrase, he or she would need the seed phrase or access to the device itself.
• This ransom attack could be executed against multiple users at once, and multiple cryptocurrencies could be taken hostage at the same time.
• Trezor and KeepKey have had run-ins with vulnerabilities in the past, but most of these required physical access to the hardware wallets to succeed with a couple exceptions. The one discovered by their competitor broke ground by allowing the hypothetical attacker to work remotely.

UPDATE (Sept. 3, 17:31 UTC): Added comments from Trezor in the third paragraph.