Topic: Kraken Security Labs just 15 minutes to hack both of trezor's crypto hardware (Read 664 times)

Completely agree. Even when using a hardware wallet which does not have this vulnerability, or an encrypted cold wallet, no setup should be assumed to be 100% safe. It should be seen as a method to buy you varying lengths of time to secure your coins before they can be stolen. Just as if my laptop was stolen, despite its whole disk encryption, I would still revoke its permissions and change all my passwords, if my hardware or cold wallets were stolen, I'd be using back ups to move all the coins within.

I do use multiple passphrases, but I'm not a fan of solely relying on this method. I no longer use any Trezor devices, but if someone was to steal one, it would likely be a targeted attack because I had been sloppy with address reuse or similar and exposed some holdings, so they would know exactly how much bitcoin they were looking for. Further, physically stealing the wallet would be the hard part of the attack, and continually trying to brute force a passphrase relatively easy, so I suspect they might continue until they find what they are looking for. All my wallets are in locations where I would personally discover they are missing or be informed as such by trusted third parties with a maximum of 24 hours.

It really comes down to balancing security vs convenience. it is also a balance of security vs being able to memorize your password. If you have a complex password full of entropy, that is great and all, but it kinda defeats the point if you can't decrypt it because you forgot your passphrase.
No, it is not. They could enable it by default, or prevent it from being disabled. None of this would prevent someone from using a blank passphrase, or a very simple one such as zzzz

It's a fair point, but look at the flipside. First Ledger and then Kraken were able to pull off this attack. It's only a matter of time before someone malicious figures it out, if they haven't already, meaning it's only a matter of time before someone losses their coins to this vulnerability. All it will take is one major theft with the news that Trezor knew about the vulnerability and didn't warn the user in question to completely ruin their reputation.

I also don't envy their position, but I think the responsible thing to do would be to clearly state the vulnerability and the requirement for a passphrase, whilst stating that they are working on new hardware which will mitigate the attack.

I wonder if it is even technically possible for Trezor to enforce passphrases by default in their wallet? The passphrase functionality is currently "hidden" in the advanced settings once you get the wallet setup and I believe it actually sets a flag within the device so that the web interface asks for a passphrase during wallet unlocking.

So, theoretically, during the onboarding process, the web interface could simply set this flag and basically "demand" that the user set a passphrase... at which point, we'd most likely get users using substandard passphrases anyway... or thinking that they can simply "reset" the passphrase at some point like a computer password and end up forgetting it etc

I can understand the commercial reasons why Trezor are not that keen to "advertise" the flaw... after all, it's supposed to be a secure device... and saying "There is a massive hole in our security, but just use a long random password and you're all good" kind of negates that proposition and would scare off potential users (aka customers).

Meanwhile, more tech savvy users are savaging them on forums/twitter/reddit etc for this exact reason.

Certainly a reputational juggling act that I'm glad I don't have to attempt to perform!

Yeah, agreed.

I use whole disk encryption on all my devices. The decryption key for my laptop which I use day-to-day for emails, work, etc. but not for my crypto wallets is around 100 bits of entropy, because as you say I have to enter it probably 5-10 times a day. The decryption key for my airgapped device which I store my cold wallets on is just short of 300 bits of entropy, because I wanted it to be at least as secure as a 24 word seed phrase. I only have to enter this maybe once a month, if that.

I know that I'm an outlier here though. I also know from experience in my workplace that people are horrendous when it comes to password security. Same password for everything, names of their spouse, family members, or pets (or even their own name!), passwords written down in their notebooks, even passwords written on the underside of keyboards. I would be hopeful that if someone is technical enough to be using whole disk encryption they are also smart enough to be using long random passwords, though.

Fair enough. But this also assumes a person using an encrypted airgapped wallet isn't using a very simple password, such as 'password1' or 'dog' even if they spell it backwards. I would argue that many people also use very simple encryption passwords out of convenience because of the frequency they need to decrypt their machine. 

@HCP and malevolent

I agree, and this is kind of the point I made a few posts back. Hardware wallets are marketed as simple to use, user friendly, etc. These devices are often recommended to newbies or other less technical users who would be unable to safely set up and use an airgapped machine or paper wallets. These are exactly the users who are most likely to be unfamiliar with passphrases and therefore not using them. It is deeply irresponsible of Trezor to not directly warn these users.

You are correct, but only provided the hardware wallet is also using a passphrase. The majority of users do not use a passphrase, making a Trezor significantly less secure than an encrypted airgapped wallet.

Taking into account not just security but ease of use, user-friendliness, functionality, etc., for an average user (who likely has poor security practices), a hardware wallet (Trezor wallets included) is probably the safest place to store private keys.

Both your laptop, and your trezor are secured by the same thing, that is a password. An attacker with physical access to your devices would need specialized equipment, and technical skills, plus your password (passphrase) to gain access to your trezor, but would only need your password to gain access to your computer.


Yes. An airgapped device and a trezor need the same password to access any coin the respective device is holding. The airgapped computer will stay in a decrypted state for longer than a trezor when you are signing a transaction with either device. If you have an airgapped computer, an attacker with physical access to the device does not need any specialized equipment to start making attempts of guessing the password.

Depends if you're only considering "security" when deciding which is the "superior" solution.

I would say it all comes down to your own personal use case... how "secure" a HW might be compared to such a setup is debatable... given physical access to an airgapped device, it would probably be theoretically possible to access the private keys, even from an encrypted wallet... but yes of course a (properly) airgapped machine offers a decent level of security.

However the HW wallet will "win" if you need portability... I travel often, so this is important to me. Then there is the "ease of setup and/or use" factor. All the hardware wallets I have have taken me less than 15 minutes to setup from opening the package. Price could also be another factor ($60 for a Nano S vs. for a 2nd computer+webcams etc if you're going the QR code route).

All things considered, for me personally, I'd agree that a hardware wallet is still the "best" solution for storing my private keys... it offers levels of security and convenience that I'm happy with.

As with everything else in this world, YMMV.

I dont agree with that logic at all. I'm not concerned about physical attacks on my hardware wallets - I dont take them out and about with me, and they are stored in very secure locations. I still wiped my Trezor after learning about this vulnerability. I'm also not very concerned about physical attacks on my laptop, but I still use full disk encryption on it, and would absolutely swap to different software to do this if I knew the software I was using was crackable in <15 minutes.

And what about those 6% of users who are concerned about physical attacks? Do they not deserve a warning simply because they are in the minority?

Trezor devices do not user secure elements like some other hardware wallets do. There is no evidence to suggest that this attack would also be successful against a secure element.

More secure than an encrypted wallet on a permanently airgapped device?

Their response says they believe only about 6% of crypto users are concerned with physical attacks. This might not be enough of their user base to put such a prominent display on their website. 

Some possibly, some possibly not.
The issue is for me and for other people I have spoken with is that this OP issue still exists and they have done nothing about it (nor can they) but they still don't have the warnings front and center on their website / in the instructions.

-Dave

I don't think trezor is responsible for what other people tell their users.

To be fair to trezor, they do have a security page that discloses past security issues. Although this one does not appear on that page.

There was this statement that trezor published in their FAQ in 2016:

I think this answer is still technically true, but may be misleading in light of the disclosure referenced in the OP. There are other answers in trezor's FAQ page that imply that coin is safe if an attacker steals a person's trezor.

I believe the lack of notifications by trezor has to do with the common threat models of trezor customers, described in trezor's response to the disclosure in the OP. Trezor referenced a binance security survey conducted in 2018 that says only about 6% of crypto users are concerned with 'physical attacks'.

At the end of the day, the security of my coin is my responsibility. If representations were made to me that were correct based on the person's knowledge at the time, I don't think I would have a valid basis to complain if a new technique or new technology later made that representation to be untrue. 

My assumption is if a trezor is vulnerable to a specific attack, every other HW wallet is vulnerable to a similar attack, even if they have not been publicized.

Out of all possible alternatives, I would still consider a HW wallet to be superior to all other mediums to store private keys. 

How about ANYTHING to inform their users.
E-mail to known owners.
Notifications on the home page.
Popups on the access pages.
Having a sticky thread here.

Something obvious, not what they do now which is make people dig for it.

-Dave
Note: This is most wallet makers not just Trezor

Well, they could certainly do more to inform their users about this, especially considering how much money some people are storing on their hardware wallets. When I first got my Trezor several years ago I had also been under an impression that a pin-protected Trezor is secure against all attacks, over the years it seems the narrative has changed.

Couldn't agree more.

The whole point of hardware wallets are that they are marketed as a simple and easy way to store your keys. They are often recommended to newbies on that exact premise. They are inferior to proper airgapped wallets, but much easier to set up and use. As soon as you start adding all these xxx, yyy, zzz caveats, they become less simple therefore less safe. Not only that, but Trezor make no mention of this attack whatsoever on their "Getting started" or "Basic features" manual/support page. Passphrases are mentioned exactly once on these pages here - https://wiki.trezor.io/User_manual:Setting_up_the_Trezor_device - where all they say is Trezor Manager can be used to set up a passphrase. You have to delve pretty deep in to the "Advanced settings" before they start recommending that you should use a passphrase, but still make absolutely no mention of this attack.

They can't just sweep an attack which has the potential for users to lose all the coins they own under the rug like this. Whenever this attack is discussed publicly their response is "It's not an issue because everyone should be using a long and random passphrase", but at no point in their set-up guide do they even mention passphrases exist, let alone that all users should be using one or risky losing everything.

There should be a big warning on their website and on their set-up guide stating "Yes, this attack exists, all future models will have different hardware to mitigate it, and all current users should be using passphrases".

Looking back through this thread and the other discussions about the vulnerability of some of the wallets there seem to be 3 things that keep coming around.

1) It's not that bad because of "xxx" reason. xxx can be needs access to the hardware, needs specialized equipment, needs an unreasonable amount of time.

2) It can be mitigated because of "yyy" reason. yyy can be long pin, long passphrase, there is no way to get to my device.

3) It can't happen to me because of "zzz" reason. zzz is my device never is unattended, my device is in a ultra secure location, etc.


The problem is this:
You could be holding a significant amount of money on one of these devices and they claim they are secure.
Then they make all these * notes about things you have to do to make it secure. Long pins, long passphrases, etc.

Which is great for us here reading these threads.

But, what about Bob? Alice told him to get a hardware wallet to keep things secure and he did. And he followed the setup instructions that did not mention the stupid long passphrase and 12 digit pin. And he even keeps it updated and occasionally reads the read me file with the new firmware.

But it's still not being being posted on the hardware makers site in 40 point red font telling people about it.

I even told my favorite hardware wallet maker they should do this (and they failed).

So, yeah it's an issue now and going to continue to be one.

-Dave

small edit of a line because what I had in my brain did not make it properly to my keyboard.

Probably, but the point I was making was that if this attack is successful, then you are entirely relying on your passphrase to protect your coins. 91 bits of entropy, although probably enough, is a tiny amount when compared to the usual 256 bits of entropy of a seed. If you want your passphrase to be as secure as your seed, then it needs to be impractically long and random.

I was meaning this one: https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/. Specifically:

Which report are you referring to? There was a disclosure in March 2019 by ledger that confirmed that a side channel attack allowing an attacker to discover the PIN was patched. I also don't see anything about a 9 digit PIN in that disclosure.

This is true for any off-site backup. Using a trezor is still going to be more secure than using a paper wallet, or an encrypted file on a hard drive or USB stick because specialized equipment and technical skills are necessary to perform this kind of attack. These technical skills are worth north of 6 figures on the job market per year, and the ability of an attacker to get hired and utilize these skills would be diminished if caught breaking and entering somewhere to steal a trezor.

Unlike an encrypted file, the end user can use multiple passphrases, and can use an easier to crack passphrase with a smaller amount of coin. This would mean an attacker would need to find the coin, and decide if he wants to continue expanding resources to gain access to additional coin that may or may not exist. The attacker would also need to decide if he wants to spend the coin he find immediately, possibly tipping off the victim that his trezor has been compromised, or wait to try to find another passphrase with more coin, and risk the victim will discover the compromise and move his coin.