Topic: Kraken Security Labs just 15 minutes to hack both of trezor's crypto hardware - page 2. (Read 704 times)

5 randomly chosen words from a very thick dictionary should be more than enough. (almost 91 bits of entropy if it's a dictionary with 300k entries)

The Ledger report states that even a 9 digit PIN was brute forcible within a few minutes.

This is true, but there are plenty of people who store a secondary hardware device off-site as a backup, and might only check on it once a week, once a month, or even less frequently. If an attacker was to access one of those, they could potentially have several months to try brute forcing a passphrase (assuming they have used one).

If you are not known to have a lot of coin, you will probably not be the subject of this kind of attack. If you have a trezor in a desk drawer, and your house is burglarized, the burglars will probably ignore your trezor if they come across it. If you keep your trezor in a safe, and the safe fairly well hidden (under a carpet or rug, or behind a picture), chances are an attacker will not be able to physically access your trezor.

I believe the 15 minute timeframe is also predicated on the trezor user using a 4 digit PIN. If a longer PIN is used, it will take longer to execute this attack.

This attack makes the attacker destroy the trezor, so if a passphrase is used, the trezor owner could discover the compromise, and move his coin via a backup, or an emergency pre-signed transaction that he broadcasts before the passphrase can be brute forced.

This attack does not require expensive equipment, but the equipment required to execute the attack is fairly specialized. An attacker would need to have specialized technical skills to execute this attack. These technical skills are very valuable in the job market, and attacker would need to risk his ability to leverage these skills in the job market to even try to pull off this kind of attack.

Unfortunately, it is very difficult to protect information that is frequently accessed from attacks involving physical access to a device. 

Then it's still not a practical attack. Plus there's an option for "the owner" to secure his Bitcoins with different passphrases, with each going to a different hidden wallet.

There is not an equivalent attack known about at present for Ledger devices. With enough time and money, any hardware wallet is potentially breakable though, for example by examining the secure element with an electron microscope.

Correct. PIN is only used to unlock your device. It is irrelevant to restoring your wallet from the seed phrase. If you set a passphrase, you will be unable to recover the wallets behind it without both seed phrase and passphrase.

This attack does not involve bruteforcing the PIN, so any modifications to the PIN would be irrelevant.

I own a Ledger Nano S. Am I at risk too?

I've carried my Nano S in many places before knowing it could become physically exploited at any time.

Since I found out, I'm extra careful. I just thought I could carry it around and if I lose it - who cares? I got my seed, right? This is how it's been marketed around.

It looks like that's not the case. I haven't used a passphrase before on my Ledger due to the fear of forgetting it. Had a similar experience before and it sucks, I want to avoid a 2nd disaster.

I've read the article and, from what I understood, this passphrase is being combined with the seed, hence it is a completely different thing when compared to the PIN of the HW. Right? Passphrase is linked to the seed, PIN is linked to the HW.

If so, then I suppose the seed is extracted from the device by bruteforcing the PIN and then accessing the seed. Knowing the PIN is pretty short and numeric-only, AFAIK it's pretty easy to be bruteforced (although physical introduction of a false PIN 3x leads to the autoreset of a Ledger).

If that is the case and I'm not mistaken, wouldn't this problem be solved on both Trezor and Ledger by changing the HW PIN with an alphanumeric password? It would be pretty damn annoying to have to go through +35 characters by using just 2 physical buttons (speaking about Nano S), but I'd do it if that's what it takes to protect the theft of my seed.

Oh, I was speaking more in generalities rather than at you directly. Apologies for not being more clear. I was suggesting that I'm sure there are an awful lot of people out there who are more careless, and might not notice that their hardware wallet had been swapped or even notice if it was missing altogether for an extended period of time. A very clever attacker, after opening your device and extracting your seed, could even restore your seed to a brand new device and return that new device to wherever you are storing your Trezor. You (not you personally ) would be none the wiser.

An attacker doesn't need to have physical access to your device to brute force the passphrase once they have extracted your seed, though.

Which is still not a lot of time so 30 minutes to get and attack it and however long to get your PW. Unless its over 10 characters is still in the low hours with powerful enough HW.

Remember this is a somewhat targeted attack. I have to know beforehand that

1) You have / use BTC
and
2) You use a trezor

So yeah, if you never take it off except to shower that is one thing. If you are like most people and leave it someplace (even what you think is secure) for a little longer then you might become a victim. Unless you have a secure password.

-Dave

Then I'm very confident that it would take the hacker a very long time to brute force my passphrase. I will surely find out that the device was switched well before he can guess it. It won't be close.

Well, it depends on your threat model, and how you use your Trezor. I use hardware wallets as a semi-cold wallet from my desktop computer, and they never leave my house or secure back up locations. I dont carry them around with me, and no one in real life other than my wife even knows they exists. So for me this attack is low risk, although I have still stopped using my Trezor and replaced it with another Ledger device.

But what about if you use your hardware wallet to secure a mobile wallet, for example? You carry it around constantly in your pocket or a bag, people see you using it, can maybe even track your addresses by watching you spend from it to a merchant's known address, and so on. Both the likelihood of being targeted and the possibility of this attack (or similar) both increase significantly.

Now, while passphrases are great, and everyone with a hardware wallet should be using them, the passphrase answer by Trezor is completely unsatisfactory. It does nothing to address the failure in their wallets. The majority of people don't use a passphrase, and the majority of those who do certainly aren't using a long and truly random one. They have done little to publicize this need to their users. Really, they should be releasing a patch which requires all users to set a passphrase of minimum x characters. If we assume someone has accessed your seed and the only thing protecting your coins is a passphrase, then what you have left is little better than a brain wallet.

What if someone swapped it for another Trezor device? How long would it be before you plugged it in and realized it had been switched?

If I did that I would find my self checking constantly if it is still there, if it didn't get caught into something and fell off.

---

I assume an attack like this is not possible on a Ledger device. Seems that only Trezor users without passphrases have reasons to worry.
I would be interested in finding out how hard security experts have tried to break Ledger wallets as well.

I wear my Trezor around my neck. No one can get physical access to it, except when I'm in the shower for 20 to 30 minutes.



More. Plus preparation for the physical attack, it would take around 30 minutes or more, not including brute-force attack on the passphrase.

Assuming they lug some laboratory equipment with them while breaking into my secure apartment building... and they know precisely where my hardware wallet is stored... assuming, as you say, that they even know I have one in the first place!

That's why I said "somewhat theoretical"... Yes, it's possible... but is it really probable? For me... the answer would be "No". I think it would be more likely that my wallet/phone would be stolen from my pocket/bag while I was out and about during the day... and I'm not terribly worried about that either.

While I will admit that it is a huge flaw in the design of the Trezor, this is not exactly a doomsday scenario that everyone seems to want to make it... Put on a "decent" passphrase (which isn't that difficult or annoying to use) and the entire thing essentially becomes a moot point anyway.

For anyone with enough coin stored on a Trezor to be worried about losing it... then simply switching to a Ledger or Coldcard or another hardware wallet shouldn't be a massive issue.

Yes and no.
Where is your hardware wallet? Is it always attached to you? Or, is at home while you are at work?
Do you bring it with you on vacation or is it in a safe at home? etc.

It's a 15 minute attack, so if they know you have it they can probably get in and get it and get your seed (if your don't have a strong password) in less time then it takes to get dinner. Depending on who you ask a 8 character password is minutes.

-Dave

Yeah I saw this article on my newsfeed the other day... and was like "Wasn't this already done and discussed?"

Seems that Kraken just reproduced what Ledger already did... and said what we already know:
If you use a Trezor, make sure you are using the passphrase feature!


Although, the "requiring physical access to the device" part makes this "attack" somewhat theoretical for most people...

It wasn't republished. Kraken did their own version of an attack done in hacking conferences, and thought that it might be a good, which it is, to remind everyone, again, to put a passphrase.


Put a passphrase.

Other people did, It's out there if you look.
Now this next little bit REALLY makes it look like I shilling for Coinkite / Coldcard but a blurb from their marketing:


So if they can do it why can't others?

They also have the self destruct pin option and the sign with SD card so it's always airgaped option.

I would say it's not that difficult, but I am sure it is. But if they can do it other people can too. That is if they actually care enough to try.

On another note they also have a nice document about PIN use and some thoughts about how / why it works the way it does:

https://raw.githubusercontent.com/Coldcard/firmware/master/docs/pin-entry.md

-Dave

Ledger disclosed the attack to Trezor. Trezor's response was essentially "You need physical access and mitigated by a passphrase". If Ledger had lied and completely made it up, would Trezor not just have said that? It would be pretty irresponsible of Ledger to release the actual set up they used.

All I said in that previous thread was that there was more work to be done than simply trying different seed phrases which would slow down the bruteforce attempt, and 10 billion combinations a second is too high a number. I never said a bruteforce attempt would be impossible. Assuming an attacker also knows your addresses (because otherwise why would they be targeting you), then with this attack you can also skip the blockchain look-up step.

2048^4 is 44 bits of entropy. This is brute-forcible. The average human generated password has entropy of around 40.5 bits. Again, this is brute-forcible. My point above is that if you are assuming your seed can be accessed, but you want to maintain the same level of security, then you need a very long and random passphrase, which almost nobody will be using.

So because Ledger, their main competitor is saying that (without any proof) it's necessarily true?
You have read the Kraken report and watched their video? You really think it's easily reproducible by anyone? There are certainly more chances to destroy the chip by doing all those manipulations than to succeed for the average handyman IMO.
And the equipment they used doesn't cost only 100$...

Again you are quoting the Ledger claims... but you said exactly the opposite 3 days ago for just 2048⁴ combinations...  
The passphrase is UTF8 encoded, 37 random characters gives 1 million³⁷ combinations...

I don’t know what is the benefit of republishing this news, everyone knows that physical access to any device will expose you to danger and that the use of easy-to-guess passwords makes you vulnerable to hacking. Perhaps the platform is trying to gain media.

Everyone should remember that there is no wallet completely safe and there is nothing against hacking, your use of more than one wallet, strong passwords, distrust of any third party, follow-up news will spare you all of these hacks.