When you ask the internet, or some bitcoin experts, how I'm going to store my bitcoin and cryptos safely? I wouldn't want anyone to touch my precious crypto. And almost all will tell you put them in the hardware wallet. For example trezor! Well that's no longer the case any more.
DEFCON 25, just revealed how they used the glitch in Trezor chip to easily hack it within 5 minutes. This all thanks to the vulnerable chip made by STMicroelectronics. This hack actually happened months ago, since March 29th, 2017. But only recently Trezor released the patch.
Why it works?
When you disconnect your Trezor from a power source, all your private keys, pins will be uploaded to the SRAM chip. And funny enough this SRAM chip store all of your sensitive info in plain text only waiting to be read. All you need to is inject your own modified firmware so that you can dump all the info stored in SRAM. So the details,
- You need to download these programs :
- USB HID Flash update program
- SRAM dumping program together
- Modified firmware (https://mega.nz/#!AHBmRR4A!jvai69cNTrvLBmB3VWczy3E6q1LzVqJ-hRe9uQfpy3o)
There's two ways of hacking it, simple reset or frozen attack
If you chose simple reset, you need to disassemble the device. And you need to introduce soft restart as you're going into bootloader mode without erasing the RAM. This can be done by connecting the wire as in diagram below.
- If you chose frozen attack, you need spray the device with this 15$ chip freezer without the need to disassemble the whole device, but you need to introduce power glitch to the device.
connect trezor to a fully charged laptop. Remember not to lose power at this stage or your password will be gone.
Wait until the label is shown on screen
If you're performing the simple reset, simply hold on two Trezor buttons, and while doing that release the RESET button. If you're performing the freezing attack, do the power glitch and release the two buttons
Run the command “tz_update fw_hacked_2017mar31.bin”
When firmware is uploaded, press on RESET button.
Next, run that “tz_dump” that will dump your seed, PIN, label and other information. Repeat step 11 if needed. And voila :
All these took less than 5 minutes if you did it properly!
Response from Trezor :
Today, SatoshiLabs released a security update to your TREZOR; a new firmware version — 1.5.2 — was pushed out to all users. This update fixes a security issue which affects all devices with firmware versions lower than 1.5.2.
Trezor further added that :
It is important to note that this is not a remote execution attack. To exploit this issue, an attacker would need physical access to a disassembled TREZOR device with uncovered electronics. It is impossible to do this without destroying the plastic case.
If your device does not leave your presence, your coins are safe. Moreover, if you have a passphrase enabled and actively use it, your coins are safe. Yet, we strongly recommend you to update your TREZOR anyway.
My 2cents :
It is important that all you guys who's been using trezor to update to the latest firmware, to remove this glitches. The way Trezor solved this, is modify the bootloader in a way that it clears the whole RAM on start and also before it is going to load the firmware. But still they're not encrypting the sensitive info in the RAM, as they claimed it a trade off for convenience over security. As the way I see it, it's just a temporarily fix and more work need to be done.