Kraken Discovers Critical Flaw in Trezor Hardware Wallets, Trezor Responds

  • The flaw was discovered back in October 2019 and is only now being publicly shared in order to help people protect themselves.
  • Using the passphrase feature is the best way to avoid the flaw, though there are downfalls.
The Trezor One hardware wallet

The Trezor One hardware wallet. GreyCoder

The news was shared today on the official Kraken blog and points out to a critical flaw in both Trezor hardware wallet models – the Trezor One and the Trezor Model T.

The Kraken team had identified the flaw back in October 2019 and instantly notified the Trezor team of the matter. They decided to go public with the issue today in order to help owners of Trezor wallets protect themselves accordingly.

The flaw

According to the article on the Kraken blog, about 15 minutes of physical access is required in order to crack the encrypted seed. In a short video, Kraken showed, visually, how this works:

Since the flaw is in the hardware design of the Trezor wallet, there is nothing that can be done about already-produced wallets, aside from owners enforcing strict protection rules.

How to protect your Trezor wallet

Kraken recommends that no physical access is allowed to anyone else. They also recommend owners of Trezor wallets to enable their BIP39 passphrase, which can prevent an attack resulting from the uncovered flaw.

In the blog post, Kraken also estimate that it wouldn’t be difficult for malicious actors to mass produce a user-friendly glitching device and sell it for around $75.

Trezor’s response

In a detailed blog post, Trezor have professionally and responsibly addressed the flaw, explaining exactly how the attack might occur and how owners of their wallets can protect themselves.

The CTO of SatoshiLabs, the company behind Trezor, Pavel Rusnak, commented on the situation:

“We are happy that Kraken Security Labs are investing their resources in improving the security of the whole Bitcoin ecosystem. We cherish this kind of responsible disclosure and cooperation.”

As per the closing paragraph from Trezor’s response to the flaw, users are urged to consider both the pros and cons of using a passphrase, the pros being preventing the aforementioned flaw from ever happening, however, risking the loss of all digital asset holdings if the passphrase is forgotten.

Discussion
Related Coverage
Ledger Delays Launch of Recover Feature, to Open-Source Code
  • Ledger faced backlash from the crypto community last week after announcing its Ledger Recover service, which will allow users to restore their private keys.
  • The company has now said that it will delay the launch of Recover until it has open-sourced some core components of its OS and Recover codebase.
May 24, 2023, 10:07 AM
ledger

Shutterstock

FTX Hacked, Exchange Under Investigation in the Bahamas
  • Shortly after filing for bankruptcy on Friday, FTX experienced a hack that saw close to $500 million in tokens leaving the exchange.
  • The Bahamas Securities Commission and the Financial Crimes Investigation Branch of the police have launched an investigation into the exchange to check if any criminal misconduct took place in FTX.
Ledger Reportedly in Talks For $100M Funding Round
  • Unnamed sources have said that the company is currently in talks with interested parties to raise at least $100 million in a new funding round.
  • The same people noted that Ledger had experienced growth in its business over the past months, as investors turn to cold storage.