Search on TFTC

Issue #388: Wallet vulnerabilities

Dec 28, 2018
Marty's Ƀent

Issue #388: Wallet vulnerabilities

Here's something sure to unsettle you freaks. Yesterday afternoon, at the #35c3 conference the team from wallet.fail brought out the big guns and hacked the shit out of cryptocurrency hardware wallets. I highly recommend you freaks peep the one-hour talk + demonstration when you get a chance (especially if you own and use a hardware wallet) because there are some important attack scenarios they describe that you should be aware of. Before we jump into it, I will stress that I have assumed that hacks like these were possible.

😬

😬



The good thing to note is that an attacker would need physical access to your device at some point to pull off most of these attacks, so if you bought your device directly from the producer and have done a good job securing your Trezor, in particular, you're probably good. If you have a Ledger Nano S, I would recommend using something else as these guys proved they could remotely sign transactions without having physical access to the device. Very scary to think about, especially if you store a significant amount of capital on these devices.

Throughout the talk, the presenters go through the gambit of possible attack vectors, which include, supply chain attacks, firmware vulnerabilities, side-channel attacks, and chip-level vulnerabilities. Each vector comes with unique ways of compromising your device and, by extension, your financial security. So, again, peep the presentation when you get a chance. If anything, it's a nice reminder of why having an adversarial mindset is imperative in this arena. We need more teams like wallet.fail to point out these vulnerabilities so we can sharpen our defenses. Though, it seems as though they didn't make the Ledger and Trezor teams aware of these vulnerabilities in a very responsible way (they found out by watching the presentation), which is a bit shitty.

At the end of the day, if you own a Trezor, make sure you add a passphrase password as an extra layer of security (make sure you write the password down and store it safely!) because it stops most of these attacks in their tracks.

Here are Ledger & Trezor's official responses to the presentation.

Now, if that wasn't unsettling enough, you freaks should also be aware of the much more effective phishing attacks that Electrum users have been experiencing lately.

#Bad

Peep the official breakdown here and NEVER download an Electrum wallet from anywhere other than www.electrum.org.


Final thought...

Bird Box, I liked it. Enjoy your weekend, freaks! I'll see you in the new year.

Current
Price

Current Block Height

Current Mempool Size

Current Difficulty

Subscribe