Topic: Hardware wallets OLED Display Vulnerability[Trezor One, Ledger Nano S/X, etc.] (Read 368 times)

Why the employee who already knows the seed or the pin would want to do that? I'm obviously not talking about him but about all the others, the "evil maid"...
According to Trezor and Ledger an oscilloscope is not mandatory, a Software-Defined Radio is enough to exploit the vulnerability.
But they don't explain what they're calling a Software-Defined Radio here : if some additional hardware is needed to catch the signal or not, on every motherboard or not...

Why would exchange employee even bother to trying detect real number on the oscilloscope when he already have access to PIN and seeds? If he doesn't have something like that he would need to stole the wallet and then try to extract seeds in controlled environment and for that to happen he would need to have specialized equipment and then try to return wallet intact back to the exchange office.

 

No I'm sorry, but there is a real danger for the exchanges and the custodial wallet providers if they are using those devices for their cold wallets. Some "evil maids" or employees could use this vulnerability.

A malicious person would have to produce a lot of these fake USB wallets and be on the look-out for owners of hardware wallets. In case your original USB
cable stops working and you make an ad to try and purchase a replacement cable he could try and sell you one of his.
But still he would need to get physical access to your hardware wallet after you used his cable already. Why go through all the trouble, seems to me that a baseball bat could be more effective 

The only real danger here is getting targeted by someone close to you, a family member or friend who also has access to your home and who could do the swap in case he wants to rob you. 

It is a good thing people test these devices and discover flaws like this. Thanks for posting this op.

And it needs to match your cable ; )   
My best guess, may someone want to abuse this they will give out the cables for free.
Dont plug stuff in your computer from unknown sources.

This is really an edge vulnerability, and most likely the majority of users keeping even large amounts by personal standards are not at serious risk of the loss of coin.

The specific type of display the Trezor One uses will consume different amounts of power depending on how many pixels are displayed on the screen. The Trezor One display will also start to display one line of pixels at a time with each subsequent line being displayed fractions of a second after the prior line. This means someone monitoring the power consumption of your Trezor One can determine how many pixels each line your Trezor One is dissplaying at a time. An attack could use this information to reasonably guess what is being displayed on your Trezor's screen.

If you were creating a new seed with your Trezor One, an attacker could learn the seed words, and the position of each word that the Trezor One displays. An attacker could also know which row each number is displayed on your Trezor One when displaying the numbers when you enter your PIN; this will allow an attacker to learn your PIN if they monitor your Trezor One's power consumption and monitor your computer after you enter your PIN multiple times.

In order for this attack to be successful, an attacker must have physical access to your computer, and they must install specialized equipment in your computer without you noticing. The attacker must compromise your computer *before* you use your Trezor One on the computer, and cannot learn any information after the fact.

This attack would be specifically targeted to its potential victims. The vulnerability has already been patched with new firmware that instructs the Trezor One to display additoinal random pixels that makes this attack vector moot.

Exactly... a lot of these exploits, while being possible, are highly improbable of actually being able to be used.

It's a bit like the possibility of being hit by a meteorite while walking down the street is non-zero, but highly improbable... so you will quite happily walk down the street without worrying too much about it. Same goes for a lot of these hardware wallet hacks. They're "possible", but "improbable"...

I really doubt someone is going to break into my apartment building, then break into my apartment, then swap out the one USB cable I use for my hardware wallet (out of the 5 on my desk) etc... I'm more worried about getting hit by meteorites tbh

Thanks! Even if they don't connect it to a wall charger, they should be safe as nobody has been hacked due to this vulnerability till now. With the upcoming update, this possibility also will be ruled out anyway.

This is the kind of exploit you only see happen in movies.

So for this attack to be successful, an attacker would need the technical knowledge to build such a device, shrink it to a size that would fit inside a USB cable, physical access to my house to switch out my USB cable without me knowing about it, wait for me to use my device, and then physical access to my house a second time to retrieve the altered USB cable with the data stored within?

Surely if they have both the technical knowledge and the physical access to do all that, it would be far easier for them to just install a hidden camera to watch me type in my PIN? This isn't a vector of attack I am going to be getting too worried about.

Yes, I even mentioned this attack here

Those attacks where the hacker needs physical contact with the ledger are unlikely to happen,and I agree that hardwallet users shouldn't worry.

Sadly phishing attacks are getting more sophisticated everyday, as the Electrum 4.0 phishing update and this ledger bot.

The biggest vulnerability exploit on hardware wallets are its users , which can be phished . Sadly.

Yes, you are. Anyway, in Ledger's case, you don't have to worry about it when using a wallet normally. The only thing that theoretically could be obtained by an attacker is your PIN code. People who want to generate a new seed or restore the old one, should connect their wallets to a wall charger or use the built-in battery (Nano X). It's very unlikely that you will be targeted now. I would not worry about it.

I have an update notification in Ledger live so will update it soon. They mentioned you need to use the USB that was tampered by the attacker so we aren't using that. I use the USB that came with the wallet and not any other USB cable so I am still safe right? 

Not sure about it yet. I will check the firmware later today. By the way, I always used the cable that came with the original device. I am sure I am safe here.

Honestly speaking, this kind of scam is very hard to be a success. Only possible if someone is very close to you who knows you and have access of your cables.

I don't think this is a big concern really. To be affected by this you would need to purchase a modified USB cable so that this attack could be performed.
As long as you don't purchase USB cables for your hardware wallets from third parties you are safe. Unless someone from Ledger supplies you with a modified cable but that is a whole other story... 

If you are already using firmware version 1.5.5 there is no newer update for now. Just use the cable that came with your Ledger device.

Even Ledger says that it is minor since they don't conduct immediately update for their firmware, unlike Trezor.

Sad to say, Ledger doesn't have any immediate updates about this, as said on their article, it will be on Q4 2019.

Thanks for the heads up. I will be updating my one (Ledger Nano S) today.

Scammers are creative I have to say. They are doing possibly everything to seal the funds people have. Shame.

I would agree that this is minor vulnerability, and that users of hardware wallets have no reason to worry too much, this kind of attack is very complicated, and hacker should need to modify your USB cable.

Many of such vulnerability that were found in the past require physical interaction with hardware wallet, so if users follow recommended security practices the actual danger is actually very small. The real danger is actually elsewhere, just check Ledger Reddit and you will see how many users is lost coins in last few days by entering their seed in fake tools presented by fake Ledger support accounts.

Version 1.6.1 and below then update to version 1.6.3 only wipes the device memory as stated in the article, those random pixels on the screen is much better, like for security porpuses, it looks like an additional design for the interface, but overall it is much better especially to secure our hardware wallets.

But the only possible way that can an attacker do is to manipulate the USB connecting to the Trezor One and the computer. They are really not aware, what the user can use to connect their hardware wallet, like the USB cable connecting it to your computer or OTG cable to mobile phones.

I still don't understand how could user be affected by this discovery even without updating to the latest firmware?

It is clearly stated that they aren't aware of any equipment that could actually do something like that to Trezor wallet or any hardware wallet with that kind of display.
They say that Trezor wallet don't need to be tampered and also that equipment needed for this kind of attack cannot be found in any circuitry available on USB or PC, only in electronic labs for example oscilloscope etc... So you can only do something like this in controlled environment to have any chance of success.

"This attack is possible without any modifications to the hardware wallet itself, but requires unique components that are typically not present in USB circuitry."

Lots of smoke for nothing.