The Trezor One hardware wallet
The Trezor One hardware wallet. GreyCoder

The news was shared today on the official Kraken blog and points out to a critical flaw in both Trezor hardware wallet models -- the Trezor One and the Trezor Model T.

The Kraken team had identified the flaw back in October 2019 and instantly notified the Trezor team of the matter. They decided to go public with the issue today in order to help owners of Trezor wallets protect themselves accordingly.

The flaw

According to the article on the Kraken blog, about 15 minutes of physical access is required in order to crack the encrypted seed. In a short video, Kraken showed, visually, how this works:

Advertisement
Kraken Identifies Critical Flaw in Trezor Hardware Wallets

Since the flaw is in the hardware design of the Trezor wallet, there is nothing that can be done about already-produced wallets, aside from owners enforcing strict protection rules.

How to protect your Trezor wallet

Kraken recommends that no physical access is allowed to anyone else. They also recommend owners of Trezor wallets to enable their BIP39 passphrase, which can prevent an attack resulting from the uncovered flaw.

In the blog post, Kraken also estimate that it wouldn’t be difficult for malicious actors to mass produce a user-friendly glitching device and sell it for around $75.

Trezor’s response

In a detailed blog post, Trezor have professionally and responsibly addressed the flaw, explaining exactly how the attack might occur and how owners of their wallets can protect themselves.

The CTO of SatoshiLabs, the company behind Trezor, Pavel Rusnak, commented on the situation:

“We are happy that Kraken Security Labs are investing their resources in improving the security of the whole Bitcoin ecosystem. We cherish this kind of responsible disclosure and cooperation.”

As per the closing paragraph from Trezor’s response to the flaw, users are urged to consider both the pros and cons of using a passphrase, the pros being preventing the aforementioned flaw from ever happening, however, risking the loss of all digital asset holdings if the passphrase is forgotten.

Discussion

avatar