A couple of security researchers just presented a talk at the 35C3 regarding a couple of security vulnerabilities in common hardware wallets:
https://www.youtube.com/watch?v=Y1OBIGslgGM
Most notably they found the following vulnerabilities:
1) Flashing the Ledger Nano S with custom firmware without the device noticing (starting @ 17:00)
2) A sidechannel attack allowing to remotely read the PIN entered into Ledger Blue devices (@ 28:30)
3) Extracting the menomic seed phrase and PIN from Trezor One devices (@ 35:00)
1) and 3) require direct physical access to the device while 2) require an attacker to be rather close by, so obviously the security level is still way beyond regular software wallets.
Keep in mind that vulnerabilities found in these devices do not imply that other hardware wallets are more secure. As mentioned in the last few minutes of the talk, the researchers found other vulnerabilities in other wallets as well, the ones they presented are merely a collection of the most interesting ones. Still it will be interesting to see if and when these vulnerabilities will be fixed (responsible disclosure appears to have been made, with the Trezor CTO participating in the Q&A towards the end of the video).
Topic: wallet.fail - 35C3 talk on hardware wallet vulnerabilities (Ledger, Trezor) - page 2. (Read 446 times)
December 28, 2018, 06:58:40 AM
Jump to: