QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
JUNE 2019
GLOBAL
KEEPKEY
DESCRIPTION OF EVENTS
"The Next Frontier of Crypto Security. Protect your cryptocurrencies, store your private keys offline, and safeguard your assets from hackers. It’s time to achieve financial freedom in the most secure way with KeepKey."
"Hardware wallets (like KeepKey) are designed to protect you from the most common attack vectors: including malware, viruses, and remote hackers looking to steal private keys. But — the vulnerability that Guillemet and Ledger reference does not attack keys in these ways."
"Rather, this vulnerability is one in which an attacker would need to have physical possession of your KeepKey. KeepKey’s job is to protect your keys against remote attacks."
"If somebody else has physical access to your device — as well as the time, skill, and tools necessary — they will always be able to command the device to do whatever they want, bypassing any digital lock that exists."
"ShapeShift recommends that you secure your device with the same caution you would with other investments or valuables. Protect your KeepKey like it could be stolen tomorrow."
"While PIN codes add 4–9 simple digits to create a barrier between hackers and your private key(s), 9 digits aren’t enough. In his presentation, Guillemet demonstrated that you can guess a 9-digit PIN in approximately one minute."
"With KeepKey, you‘re able to set a passphrase that provides an added layer of protection."
"From our understanding, there’s no way to patch it, there is only one mitigation: the use of a long passphrase. In this context, as the seed itself can be considered as public, the passphrase should be long enough to prevent brute-force or dictionary attacks." "Guillemet recommends using passphrases comprised of at least 32 digits made up of a unique combination of numbers, symbols, as well as upper and lower-case letters."
"With a sufficiently-long passphrase, if an attacker takes the data off your device, they’ll never be able to unlock it. Your PIN and your passphrase keeps your funds — safe."
With physical access to a KeepKey hardware wallet, it is possible to obtain the seed phrase from the device.
HOW COULD THIS HAVE BEEN PREVENTED?
Adding a passphrase will encrypt the stored seed phrase. A longer pass phrase makes it harder for an attacker to extract the information.
KeepKey - Hardware Wallet | ShapeShift (May 2)
Responding To Ledgers 2019 Breakingbitcoin Findings (May 2)
Unfixable Seed Extraction on Trezor - A practical and reliable attack (May 4)