Cryptocurrency Hardware Wallets Can Get Hacked Too:
Researchers from Ledger—a firm that makes hardware wallets itself—have demonstrated attacks against products from manufacturers Coinkite and Shapeshift that could have allowed an attacker to figure out the PIN that protects those wallets. The vulnerabilities have been fixed, and both hacks would have required physical access to the devices, which minimizes the danger to begin with. But Ledger argues that it's still worth holding hardware wallets to the highest standards, just as you would a closet safe.
[..] Shapeshift fixed a vulnerability in its KeepKey wallet with a firmware update in February. If you haven't already, connect your KeepKey wallet to the desktop app to download the update onto your device. A hardware flaw in Coinkite's Coldcard Mk2 wallet persists, but it is fixed in the company's current Coldcard model Mk3, which started shipping in October. The researchers will present their attack on the Mk2 at the French security conference SSTIC in June.
[...] In examining the KeepKey memory chip that stores a user's authentication PIN, the Donjon researchers found that they could monitor voltage output changes as the chip received PIN inputs to determine the PIN itself.
[...] ShapeShift patched the vulnerability in a firmware update that enhanced the security of the PIN verification function. The fix makes it more difficult to develop a reliable catalog of power consumption outputs that map to PIN values. Even if a wallet hasn't received the update, though, KeepKey owners can still add a passphrase—preferably over 37 characters long—to their wallets that acts as a second layer of authentication.
[...] The other new findings from Donjon focus on the Coldcard Mk2 wallet. The attack would be difficult for a hacker to carry out, because Coldcard uses special secure memory that blocks the type of side-channel attack the researchers launched against the KeepKey wallet and strictly limits PIN guessing. Coldcard manufacturer Coinkite outsources the chip from the microcontroller company Microchip. But the researchers still found that they could use what's called a "fault injection attack"—a hack that causes a strategic glitch triggering unintended, exploitable computer behavior—to force the chip into an insecure debugging mode. In this state, the chip's PIN guess limit isn't in effect, meaning an attacker could "brute force" the PIN by trying every possible combination until the wallet unlocks.
To trigger the special glitch, the researchers used an impressively outlandish attack, though one that is not inconceivable for a motivated and well-funded adversary. The fault injection comes from carefully opening the physical case of the Coldcard wallet, exposing the secure chip, physically grinding down its silicon without damaging it, and shining a high-powered, targeted laser on the chip in exactly the right location with precise timing. Laser fault injection rigs cost roughly $200,000 and require special skills to operate. They are typically used for security and performance testing in smart cards, like those in your credit card or passport.
