It looks like the popular Trezor T hardware wallet might not be as secure as we all thought.
Cybersecurity firm Unciphered recently claimed that it managed to hack the wallet by exploiting a hardware vulnerability. They even showcased the hack in a YouTube demonstration, so you can see it for yourself.
<iframe width=”560″ height=”315″ src=”https://www.youtube.com/embed/M78BpPCO43Q” title=”YouTube video player” frameborder=”0″ allow=”accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share” allowfullscreen></iframe>
The Trezor T hardware wallet is one of the most popular wallets in the market today, so this news might come as a shock to many users. The hardware is disassembled in the video by Unciphered before the seed phrase or private key are obtained. The wallet must be physically in your possession, along with the necessary tools for the hack. Unciphered additionally stated that there is no way to fix the vulnerability without initiating a complete recall of all Trezor T wallets.
The Unciphered team claimed to have created an “in-house exploit” that allowed them to obtain the firmware for the wallet. The team was able to decipher the pin seed phrase for the Trezor T hardware wallet by using specialized GPU chips, according to Unciphered co-founder Eric Michaud.
Hardware wallets are typically used to store private keys offline. Because these wallets keep the private keys offline, they’re generally considered highly secure. However, Unciphered’s demonstration demonstrates that, in theory, a hacker or other malicious person could circumvent the hardware security mechanisms in a Trezor T wallet.
There has been some speculation that Unciphered’s demonstration exposed a long-known vulnerability. Unciphered refuted this, claiming that the relevant old vulnerability had been patched in 2019. The vulnerability and the technique to exploit it, according to the company, were created in-house.
This isn’t the first time Unciphered has successfully retrieved seed phrases from a hardware wallet. In February, the cybersecurity company demonstrated a similar hack of a popular hardware wallet, OneKey.
Trezor remarked in response to Unciphered’s demonstration that the exploit shared many characteristics with the Read Protection Downgrade (RDP) vulnerability. Researchers from Kraken Security Labs found this flaw, which affected both the Trezor One and the Trezor Model T. This suggests that Trezor is aware of the vulnerability, to put it briefly. Tomá Suánka, chief technology officer at Trezor, stated that a strong passphrase can be used to secure Trezor devices, adding an additional layer of security that makes an RDP downgrade useless.
Trezor further added that it had taken steps to resolve the issue and had developed a new secure element for hardware wallets in collaboration with its sister firm, Tropic Square.
With their promise of keeping seed phrases and access codes offline and safe from hackers, hardware wallets have long been considered the pinnacle of safety for storing digital assets. However, recent events, like the one involving Unciphered and Trezor T, have put a dent in the reputation of hardware wallets.
While hardware wallets are still a reliable option for storing digital assets, it’s essential to stay informed and vigilant about potential vulnerabilities. And, as always, make sure to use a strong passphrase to add an extra layer of security to your wallet.