- A recent Kraken’s blog post discussed a severe flaw present in all of the Keepkey hardware wallets. Kraken’s security research wing stated that it discovered a way to hack seeds from Keepkey wallets.
- A seed phrase is a string of random words that enables owners to recover their cryptocurrency wallets. Anyone with access to seeds can gain access to crypto funds that are stored on a wallet.
The US exchange found that Keepkey devices have an issue related to their microcontrollers. Kraken claimed that people with access to victims’ crypto wallets were able to use specialized hardware to read their encrypted seeds. For this, the hacker would also need to figure out wallets’ pin code through brute force. The configured issue now lies in all the Keepkey wallets that are in circulation.
This, unfortunately, means that it is difficult for the KeepKey team to do anything about this vulnerability without a hardware redesign.
Keepkey dismissed Kraken’s findings based on its lack of relevance. In June, the trading platform said that Keepkey can protect users’ funds from malware, viruses or attack vectors or remote hackers trying to steal private keys. However, the company is as helpless as any other wallet firm when it comes to protecting clients’ devices from physical attacks.
ShapeShift, which supports Keepkey as its premier wallet on its crypto-to-crypto exchange, wrote:
If somebody else has physical access to your device — as well as the time, skill, and tools necessary — they will always be able to command the device to do whatever they want, bypassing any digital lock that exists. Again, this is true of any hardware wallet.
Charles Guillemet, the chief security officer at Ledger, claimed that hackers could guess Keepkey’s wallets’ passphrase in a few seconds by trying different combinations. Kraken repeated the same evidence in its blog post, leading ShapeShift to publish an eleven-step manual to fix the issue.
Guillemet recommends using passphrases comprised of at least 32 digits made up of a unique combination of numbers, symbols, as well as upper and lower-case letters…With a sufficiently-long passphrase, if an attacker takes the data off your device, they’ll never be able to unlock it. Your PIN and your passphrase keep your funds — safe.