15 minutes. That’s how long it took Kraken to hack Trezor’s wallets

• Kraken disclosed hardware flaws in both the flagship products of Trezor – Trezor One and Trezor Model T.
• Though it took less time, the hack wasn’t “easy” as it needed about 15 minutes of “physical access” to the device and a few specialized equipments.

Crypto exchange Kraken’s cybersecurity division has disclosed a hardware flaw in both the flagship products of Trezor – Trezor One and Trezor Model T. In a blog post, the exchange said that it took them just 15 minutes to hack both the wallets. They did admit that the process wasn’t “easy” because the described method needed about 15 minutes of “physical access” to the device and a few specialized equipments.

The exchange said that it used voltage glitching to extract the encrypted seed from all the devices. The blog post noted that after extracting the seed, it brute-forced the encryption, which was trivially easy to do. The attack took advantage of “inherent flaws within the microcontroller used in the Trezor wallets.” According to Kraken, Trezor’s team will have a tough time resolving this issue “without a hardware redesign.” 

The exchange spent hundreds of dollars on equipment to carry out the hack but figured such a device could be sold for $75 if mass-produced. Kraken has contacted Trezor about this vulnerability. Pavol Rusnak, CTO of Trezor developer SatoshiLabs, reportedly said:

We are happy that Kraken Security Labs are investing their resources in improving the security of the whole Bitcoin ecosystem. We cherish this kind of responsible disclosure and cooperation.

Kraken Security Labs claims to “try to discover attacks against the crypto community before the bad guys do” and having “responsibly disclosed the full details of this attack to the Trezor team on October 30, 2019.” The reason to go public with this issue is cited as “so that the crypto community can protect themselves before a fix is released by the Trezor team.”

Trezor responded to this, stating that device holders must use strong passphrases to keep their devices secure. In a blog post, Trezor said:

Over the six years of existence of SatoshiLabs, we have dedicated a majority of our resources into mitigating remote attacks, and we have designed devices that are fully resistant to all online threats. We always knew that all hardware is hackable and the question about physical attacks is not if they will happen, but when they will happen.