Pages:
Author

Topic: Trezor - seed extraction (Read 244 times)

legendary
Activity: 2268
Merit: 18748
March 10, 2022, 10:37:50 AM
#22
From my point of view, keeping a passphrase inside a hardware wallet defeats the purpose of hidden wallets. No matter how well it is implemented: it shouldn't store it. Period.
Completely agree. If you are storing the passphrase on the same device that stores your seed phrase, regardless of what that device is, then you have negated much of the benefit of using a passphrase at all. It doesn't matter if that is device is a hardware wallet which touts itself as being safe and immune from hacks, since we've seen time and again that these devices can be breached in a variety of ways.
legendary
Activity: 2464
Merit: 4415
🔐BitcoinMessage.Tools🔑
March 10, 2022, 01:29:34 AM
#21
Depends on the hardware wallet. I can't possible speak for all hardware wallets, but most do not store private keys but instead derive them each time they are required and "forget" them when you unplug the device. The passphrase is another matter. There are some which do not store the passphrase, some which do, and some which can do either. Ledger wallets, for example, give you the option to attach the passphrase to a secondary PIN (in which case it is stored in the device), or to attach it temporarily each time you want to use it (in which case it isn't stored in the device).
I was mainly referring to a Trezor hardware wallet since it is open-source and on-topic. Because in the case of closed-source wallets like Ledger, it is anyway very difficult to figure out or verify what it is doing behind the scene. From my point of view, keeping a passphrase inside a hardware wallet defeats the purpose of hidden wallets. No matter how well it is implemented: it shouldn't store it. Period.


I said before there are DIY hardware wallets who are doing exactly that with non-consistent file storage, and memory gets deleted each time when device power is turned off.
Two examples I know are SeedSigner based on Raspberry Pi Zero, and Krux Wallet based on M5StickV device... importing seed words is quick for both of them with QR code.
Both of them are relative cheap to make and you won't be targeted by anyone for using general use devices like this not connected with cryptocurrencies.
They are more like signing devices than hardware wallets, but I see no reason why someone couldn't release something similar that is not DIY.
What happens if you accidentally scan the mnemonic QR-code with the camera of your smartphone instead of the signing device? Will an attacker be able to intercept it and quickly steal your savings? I think the answer is yes, they can, which makes me think that storing your seed in a form of QR-codes is not a good idea in principle. With signing devices as you mentioned above, it is very convenient to spend bitcoin from a paper wallet or something. But it is not at all suitable for everyday transactions due to the necessity of importing the seed every time you want to send someone bitcoin. It might work for cold-cold storage because you spend from it very rarely, but in such a case, there is no point in keeping QR-codes for your seed. The more time you spend directly interacting with your seed, the higher the chance of messing everything up and compromising your seed. Just my thought, I may be gravely mistaken.
legendary
Activity: 2212
Merit: 7064
March 09, 2022, 03:31:26 PM
#20
This is what I was trying to convey: if a hardware wallet didn't keep the seed phrase, it wouldn't be possible to extract it.
I said before there are DIY hardware wallets who are doing exactly that with non-consistent file storage, and memory gets deleted each time when device power is turned off.
Two examples I know are SeedSigner based on Raspberry Pi Zero, and Krux Wallet based on M5StickV device... importing seed words is quick for both of them with QR code.
Both of them are relative cheap to make and you won't be targeted by anyone for using general use devices like this not connected with cryptocurrencies.
They are more like signing devices than hardware wallets, but I see no reason why someone couldn't release something similar that is not DIY.
legendary
Activity: 2268
Merit: 18748
March 09, 2022, 08:23:41 AM
#19
In theory, a HW wallet could store some derivative of the seed and use a non-standard implementation of a passphrase in order to avoid storing the seed.
There are no hardware wallets I am aware of which do this, and it would achieve next to nothing anyway.

The only sensitive information a hardware wallet stores is the seed phase, right? I mean, a hardware wallet doesn't store private keys, which it derives from the seed once you request it to sign transactions, nor does it keep in its memory a passphrase that was initially used to create "hidden" private keys.
Depends on the hardware wallet. I can't possible speak for all hardware wallets, but most do not store private keys but instead derive them each time they are required and "forget" them when you unplug the device. The passphrase is another matter. There are some which do not store the passphrase, some which do, and some which can do either. Ledger wallets, for example, give you the option to attach the passphrase to a secondary PIN (in which case it is stored in the device), or to attach it temporarily each time you want to use it (in which case it isn't stored in the device).
legendary
Activity: 2464
Merit: 4415
🔐BitcoinMessage.Tools🔑
March 09, 2022, 07:42:56 AM
#18
Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.
The only sensitive information a hardware wallet stores is the seed phase, right? I mean, a hardware wallet doesn't store private keys, which it derives from the seed once you request it to sign transactions, nor does it keep in its memory a passphrase that was initially used to create "hidden" private keys. It also follows that once you unplug the USB cable or turn it off, a hardware wallet forgets everything it has derived during the time of being used as a signing device. In other words, it has a short memory. A hardware wallet, again and again, has to perform certain calculations every time you connect and ask it to authorize the transfer of funds from the address for which it has a corresponding private key to some other address. Am I right?

The only reason that hack worked was because the device kept the seed
This is what I was trying to convey: if a hardware wallet didn't keep the seed phrase, it wouldn't be possible to extract it.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
March 08, 2022, 02:12:20 PM
#17
Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions?
Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.
In theory, a HW wallet could store some derivative of the seed and use a non-standard implementation of a passphrase in order to avoid storing the seed.

Doing so would not improve the security of the HW wallet. If someone is able to extract the "secrets" from a HW wallet, they are going to use tools with the ability to copy arbitrary information, and are not going to write information displayed on the HW wallet's display.

The algorithm to calculate the private keys based on the above derivative will need to be public, so it will be possible for the user to recover their private keys in case their HW wallet breaks.
legendary
Activity: 2730
Merit: 7065
March 08, 2022, 05:04:09 AM
#16
Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions? If it had been otherwise, there wouldn't have been a chance to extract it either legally or illegally due to the physical absence of necessary keys.
The seed is stored inside the wallet but you can't access it just like that. o_e_l_e_o mentioned Kingpin and his successful seed extraction of a Trezor One with an outdated and vulnerable firmware. The only reason that hack worked was because the device kept the seed and the PIN in RAM when the device booted. But getting your hands on it still required extensive work and penetration. But this has already been fixed a few years ago.
legendary
Activity: 2212
Merit: 7064
March 07, 2022, 10:51:55 AM
#15
Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.
Some DIY hardware wallets like SeedSigner are using nonconsistent storage, so every time you turn off power from your device you lose all information from memory.
This means you would have to import your seed words in SeedSigner each time when you power on device, but this is fast process with QR code import system.
I think this is better option for devices that don't have secure element installed (read Trezor), it is safer and you don't have to worry if someone will hack your device.
Some people would argue this is even better approach than using closed source secure elements in hardware wallets (read ledger).
It can be a hastle if you use hardware wallet all the time and turn it on/off, but it is good if you just hodl coins and make only few transactions.
legendary
Activity: 2268
Merit: 18748
March 07, 2022, 06:25:00 AM
#14
Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions?
Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.
legendary
Activity: 2464
Merit: 4415
🔐BitcoinMessage.Tools🔑
March 07, 2022, 02:05:06 AM
#13
I am not sure about extracting it programmatically though, because in the first place, the seed phrase isn't stored anywhere..
Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions? If it had been otherwise, there wouldn't have been a chance to extract it either legally or illegally due to the physical absence of necessary keys.

Hello

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
The official FAQ says "NO" (they advice to migrate to new seed & transfer coins), but maybe someone knows the way...
As many have correctly pointed out, Trezor hardware wallets don't offer the functionality of displaying the seed words you were shown upon the initial setup. Therefore, there is no legal way to reveal your seed. However, Trezor offers something else that could help you to compare the seed you have backed up on a piece of paper and the seed that is stored inside a hardware wallet, albeit without revealing the latter. This feature is called "Dry-run recovery." [1][2][3]

[1] https://wiki.trezor.io/User_manual:Dry-run_recovery
[2] https://blog.trezor.io/test-your-seed-backup-dry-run-recovery-df9f2e9889
[3] https://www.reddit.com/r/TREZOR/comments/rj7fpx/is_is_possible_to_do_the_dryrun_to_verify_my/
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
March 06, 2022, 05:55:46 PM
#12
Hello

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
No.

Quote
am aware of some "hacking" ways, brute-forcing PIN
This is also not possible. Each time you incorrectly enter your PIN, you will have to wait an increasingly long amount of time before you can try again.


If it were possible to extract the seed from a HW wallet, it would be a security vulnerability, and the manufacturer would need to take steps to prevent this. You were instructed to write down the seed phrase when you initially created your seed. If you no longer have access to the seed, if you have access to the PIN, you should move all the coin out of your HW wallet and into a wallet whose private keys you have multiple backups to.
legendary
Activity: 2212
Merit: 7064
March 06, 2022, 05:07:44 PM
#11
It would be easy to change it, but of course installing custom build firmware removes seed.
Some hardware wallets have option for revealing seed words on display, I think it's Coldcard wallet and maybe some others, but you first need to know or hack PIN code.
I don't know how this works and I don't have the skills to examine and try what you want, and I doubt many people on earth can do what you want.
I know Kraken team was also doing testing like this, along with ledger donjon and other unknown people.
legendary
Activity: 2268
Merit: 18748
March 06, 2022, 04:10:53 AM
#10
There is no "legal" way to do this. If there was an easy "illegal" way to do this, then it would have been done already, a security bounty claimed, and patched so it was no longer possible. It took Joe Grand (Kingpin) several months with a very outdated wallet to exploit a vulnerability which was patched 4 years ago just to unlock a wallet. The only way I am aware of to do this would be via the Ledger Donjon's method: https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/

There are some hardware wallets which retain the option to display the seed phrase after you have unlocked them which you could look in to if you want to be able to do this in the future. I don't really like that option though, as it does pose an additional security risk.
legendary
Activity: 2730
Merit: 7065
March 06, 2022, 03:54:10 AM
#9
In all these years I have been here, I have never heard of anyone extracting or managing to display their seed a second time except during the wallet creation process. If you know your recovery phrase and you want to get a specific private key of one or multiple addresses, it can be done with the IanColeman BIP39 tool. I think the correct field where the seed needs to be entered is "BIP39 Mnemonic". This should of course be done in an offline environment. 
legendary
Activity: 952
Merit: 1386
March 06, 2022, 03:39:58 AM
#8
Be serious please... or ask Kingin or other developers who hacked Trezor before.
Trezor fixed previous bugs so it would be much harder to repeat something like that again.
This is not a trivial task and certainly can't be performed by weekend forum warrior hacker.

Funds are already sent to new address, so it is just for fun - and to learn something new. I have HW for years and never spent so much time reading code as during last two days. And some say "it is open source, it must be tested/verified/checked by many people..." ;-)

The test if device already provided seed is performed in firmware too:
https://github.com/trezor/trezor-firmware/blob/395324a8ad9399bacba2ebb8740d72971842d761/legacy/firmware/reset.c (from line 156)
It would be easy to change it, but of course installing custom build firmware removes seed.
legendary
Activity: 2212
Merit: 7064
March 05, 2022, 05:26:19 PM
#7
Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
If you already have backup words written on paper just use that.
It would be stupid for anyone to trust only their hardware device as only source for keeping seed phrase, especially without pasphrase.

I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
Be serious please... or ask Kingin or other developers who hacked Trezor before.
Trezor fixed previous bugs so it would be much harder to repeat something like that again.
This is not a trivial task and certainly can't be performed by weekend forum warrior hacker.

legendary
Activity: 952
Merit: 1386
March 05, 2022, 12:56:31 PM
#6
If you can access the funds, make an Electrum temporary cold wallet with a Tails OS stick and no internet (make sure you write down the temporary seed, just in case!), send the coins to that wallet, reset Trezor with a new seed (which you backup properly this time), send the coins to Trezor (make sure you keep that Tails OFFLINE), and you're done.

Yes, transfer to the new seed is my Plan B, but I think I will give myself some time, maybe I will find the way to do it other way.
Unfortunately I do not see any active discount/promo codes for Trezor T.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
March 05, 2022, 12:03:58 PM
#5
Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
The official FAQ says "NO" (they advice to migrate to new seed & transfer coins), but maybe someone knows the way...

If there's no other way to access the funds, go the hacking route.

If you can access the funds, make an Electrum temporary cold wallet with a Tails OS stick and no internet (make sure you write down the temporary seed, just in case!), send the coins to that wallet, reset Trezor with a new seed (which you backup properly this time), send the coins to Trezor (make sure you keep that Tails OFFLINE), and you're done.

I would not expect a hardware wallet like Trezor is easy to tamper, and that's the reason of the proposed "routes".
legendary
Activity: 952
Merit: 1386
March 05, 2022, 11:55:57 AM
#4
I believe this defeats the whole purpose of a hardware wallet.

If you can "hack" it to display your seed again , you are breaking its security.  The seed is not supposed to show again, as it would literally be e exposing "

Guys, I know all that. I did not ask you for advice "do not do it, it is against security rules", I asked you HOW to do it ;-)
I am checking trezor-suite sources, retrieving backup seems to be blocked programmatically, just as a result of check "if it was already done". I would have to rebuild Suite and see if I am able to talk to device. Unfortunately I am allergic to typescript/node etc.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
March 05, 2022, 09:05:15 AM
#3
Hello

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
The official FAQ says "NO" (they advice to migrate to new seed & transfer coins), but maybe someone knows the way...

I believe this defeats the whole purpose of a hardware wallet.

If you can "hack" it to display your seed again , you are breaking its security.  The seed is not supposed to show again, as it would literally be e exposing "
Pages:
Jump to: