ShapeShift Addresses KeepKey Hardware Wallet Vulnerability

ShapeShift responded to an alleged vulnerability submitted through its responsible disclosure program in a Medium post published on Aug. 4. Per the announcement, the firm received a vulnerability report through the program on May 1, which described what the researchers believed to be a hardware vulnerability.

Cryptocurrency swaps and hardware wallet producer ShapeShift addressed recent KeepKey hardware wallet vulnerability allegations.

The purported vulnerability would allow an attacker to read what was on the wallet’s screen by monitoring power fluctuations to the display in what is known as a side-channel attack.

If attackers were monitoring the power levels while sensitive information was displayed on-screen, this would ostensibly give them the opportunity to steal funds from the device.

The “vulnerability” is impractical

ShapeShift notes that, to obtain access to sensitive information displayed on-screen, an attacker would need to have physical access to the device and accurately monitor the KeepKey’s energy consumption with an oscillometer (or a similar instrument) as the information is displayed.

ShapeShift explains that, since this alleged vulnerability would require physical access, there would be a simpler way to acquire the information:

“By comparison, it would be far easier to steal someone’s Recovery Phrase by simply looking over their shoulder while they set up their KeepKey or installing a hidden camera in the room in which it was being initialized.”

ShapeShift states that a side-channel attack would require physical access, specialized equipment, hardware skills and statistical analysis of the data to derive the contents displayed based from only the display’s energy consumption. Furthermore, it claims that, even if all of those requirements were met, it would still be highly difficult to interpret the data:

“Due to the larger display in KeepKey, multiple Recovery Phrase words are displayed at once. This makes it much more difficult to identify individual words (and the order of words) based off the power used by the screen.”

As Cointelegraph reported in March, major hardware wallet manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices. Trezor responded by claiming that none of the weaknesses revealed by Ledger in its report are critical.

SatoshiLabs Rolls Out Bitcoin-Only Firmware for Trezor Wallets

SatoshiLabs, the Prague-based manufacturer of hardware cryptocurrency wallets Trezor, released a beta version of its new firmware that supports Bitcoin exclusively.

“Orange coin good!”

According to the blog post published on Sept. 9, SatoshiLabs’ new BTC firmware is now available to download for both Trezor One and Trezor Model T. The company also noted that it aims to introduce a “stable version” of Bitcoin-only firmware in the next month’s release, adding:

“From now on, we will be producing four different versions of firmware – regular (full altcoin support + U2F/WebAuthn) and Bitcoin-only, for both Trezor One and Model T. … We have created a customized version of both our firmware and Wallet designed for everyone who supports the idea of Bitcoin. Every Bitcoin maximalist can now enjoy the Wallet interface with nothing else but Bitcoin.”

Firmware for Bitcoin maximalists

Per the announcement, to install the new firmware, users will require Trezor Model T (version 2.1.0 or newer) or Trezor One, access to Trezor Beta Wallet or trezorctl, and a correct firmware installation file.

As Cointelegraph reported on March 11, Trezor’s direct competitor – major hardware crypto wallets manufacturer Ledger – disclosed five reported vulnerabilities in Trezor One and Trezor Model T.

In response, Trezor later claimed that none of the weaknesses revealed by Ledger are “critical” for hardware wallets. It was stated that none of them can be exploited remotely, as the attacks described require “physical access to the device, specialized equipment, time, and technical expertise.”

Leave a Reply

Your email address will not be published.