Azoundria: Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/trezorhackedbykrakensecuritylabs.php}} {{Unattributed Sources}} TrezorTrezor doesn't use a Secure Element, leaving their devices susceptible to physical hacking attacks involving opening and tampering. Kaspersky Labs reported that Trezor uses a single STM32 chip, storing the private key in its non-volatile flash memory. Kraken Security Labs demonstrated how they exploited..."

2023-09-01T16:01:55Z

Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/trezorhackedbykrakensecuritylabs.php}} {{Unattributed Sources}} thumb|TrezorTrezor doesn't use a Secure Element, leaving their devices susceptible to physical hacking attacks involving opening and tampering. Kaspersky Labs reported that Trezor uses a single STM32 chip, storing the private key in its non-volatile flash memory. Kraken Security Labs demonstrated how they exploited..."

New page

{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/trezorhackedbykrakensecuritylabs.php}}
{{Unattributed Sources}}

[[File:Trezor.jpg|thumb|Trezor]]Trezor doesn't use a Secure Element, leaving their devices susceptible to physical hacking attacks involving opening and tampering. Kaspersky Labs reported that Trezor uses a single STM32 chip, storing the private key in its non-volatile flash memory. Kraken Security Labs demonstrated how they exploited this vulnerability using a "glitching device" to extract an encrypted seed, then used brute force to crack the seed's PIN. They estimated that a consumer-friendly glitching device could be mass-produced for $75. Trezor acknowledged the attack and the significance of ethical hacking, suggesting users activate the BIP39 passphrase for protection until a hardware redesign is implemented.

This is a global/international case not involving a specific country.<ref name="redditold-11513" /><ref name="coolwallet-11514" /><ref name="youtube-11515" /><ref name="krakenblog-11516" /><ref name="redditold-11517" />

== About Trezor ==
"Trezor is known for not taking criticism lying down. After the Ledger Donjon’s disclosure in March 2019 of several vulnerabilities in the Trezor models, Trezor responded with a strong-worded response, countering with arguments like the “$5 wrench attack” fallacy, stating that it didn’t matter how secure your device was, it only mattered how well you protected your private key and seed passphrase against intruders."

"Trezor doesn’t use a Secure Element and therefore their devices are vulnerable to physical hacking attacks where the device is opened and then tampered with.

According to a report by Kaspersky Labs, Trezor only uses a single STM32 chip, a general-purpose microcontroller based on ARM architecture, where they store the private key in its non-volatile flash memory."

"In short, here’s how the security firm did it:

They used the equipment to build a “glitching device” to extract the hardware wallet’s encrypted seed by attacking the STM32 microchip.
They then used brute force to crack the encrypted seed (protected by a 1-9 digit PIN) within a few minutes to gain access to the device."

"This attack relies on voltage glitching to extract an encrypted seed. This initial research required some know-how and several hundred dollars of equipment, but we estimate that we (or criminals) could mass produce a consumer-friendly glitching device that could be sold for about $75."

"Kraken Security Labs say the weakness is in the microcontroller of the Trezor wallets, therefore it will require a complete overhaul of the cold storage device’s design. Trezor is aware of this weakness but hasn’t made any changes yet."

"This time, Trezor acknowledged the security attack and the importance of ethical hacking by third parties to help improve the overall security of the crypto industry."

"Kraken suggested in the meantime, Trezor users activate their BIP39 passphrase with a Trezor client in order to protect the wallet, as it’s not stored on the actual hardware wallet."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.

Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - Trezor Hacked By Kraken Security Labs
!Date
!Event
!Description
|-
|October 30th, 2019
|Disclosure Of Attack
|The Kraken Security Team discloses the issue to Trezor.
|-
|January 31st, 2020 7:57:29 AM MST
|Reddit Thread
|The issue is discussed on Reddit.
|}

== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

== Total Amount Lost ==
No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="redditold-11513">[https://old.reddit.com/r/CryptoCurrency/comments/ewplf5/it_took_kraken_security_labs_just_15_minutes_to/fg5y0ss/ normal_rc comments on It took Kraken Security Labs just 15 minutes to hack both of @trezor’s crypto hardware wallets.] (Oct 17, 2022)</ref>

<ref name="coolwallet-11514">[https://www.coolwallet.io/kraken-hacks-trezor-in-15-minutes/ https://www.coolwallet.io/kraken-hacks-trezor-in-15-minutes/] (Aug 23, 2023)</ref>

<ref name="youtube-11515">[https://www.youtube.com/watch?v=6pKuHYwrGkU Kraken Identifies Critical Flaw in Trezor Hardware Wallets - YouTube] (Aug 23, 2023)</ref>

<ref name="krakenblog-11516">[https://blog.kraken.com/product/security/kraken-identifies-critical-flaw-in-trezor-hardware-wallets Kraken Identifies Critical Flaw in Trezor Hardware Wallets « Kraken Blog] (Aug 23, 2023)</ref>

<ref name="redditold-11517">[https://old.reddit.com/r/CryptoCurrency/comments/ewplf5/it_took_kraken_security_labs_just_15_minutes_to/ It took Kraken Security Labs just 15 minutes to hack both of @trezor’s crypto hardware wallets. : CryptoCurrency] (Aug 23, 2023)</ref></references>

Trezor Hacked By Kraken Security Labs - Revision history