Satoshi Labs – Idelto

These Developers Claim They Can Crack Any Hardware Wallet

On Dec. 27 at the 35th Annual Chaos Communication Congress (35C3) event, three individuals from a startup called Wallet Fail allegedly hacked the most popular hardware wallets and revealed their secrets on stage. According to Trezor, however, the hackers at 35C3 did not follow the standard responsible disclosure protocol and Ledger Wallet developers claim the Wallet Fail team only gave the impression of critical vulnerabilities, emphasizing that this was “not the case.”

Also Read: Judge Denies Craig Wright’s Motion to Dismiss Billion-Dollar Bitcoin Lawsuit

A Startup Called Wallet Fail Claims to Have Cracked Cryptocurrency Hardware Wallets

The European Chaos Computer Club hosts a yearly event called the 35th Annual Chaos Communication Congress, a conference that gathers hackers, computer scientists, and security experts. This year at 35C3, attendees saw an hour-long demonstration from a team called Wallet Fail, a group that believes it can break into any cryptocurrency hardware device including top brands like Trezor and Ledger. Wallet Fail presented vulnerabilities that can be fixed in a firmware upgrade, but they claim to have also found issues with the microcontrollers and the bugs would “require a new hardware revision.”

Some of the attacks shown on stage included various software attacks. Wallet Fail showed a slideshow of pictures exposing private information when the device was flash booted. Other attacks seemingly showed severe weaknesses within the supply chain, evil maid attacks, side channel assaults, and other types of social engineering techniques. The video demonstrates cracking the hardware wallet’s proprietary bootloader protection, bypassing microcontrollers, and using web interface glitches to interact with the wallet. In one part of the demonstration video, Wallet Fail flashed a Ledger Nano S device and boot-loaded the old school Snake game that was once installed on Nokia feature phones. After the hour-long demo, the developers uploaded the 35C3 video to the startup’s Wallet.fail website.

Trezor and Ledger Wallet Respond to Vulnerability Accusations

After the website published the video and the 35C3 event came to an end, two of the most popular hardware wallet manufacturers responded to the claims made by Wallet Fail. The CTO of Satoshi Labs, Pavol Rusnak, told his Twitter followers his company was not informed through Trezor’s responsible disclosure program and learned about the vulnerabilities “from the stage.” “We need to take some time to fix these and we’ll be addressing them via a firmware update at the end of January,” Rusnak emphasized on Twitter. According to the Satoshi Labs CTO, he attended the 35C3 conference this year and saw the demo first-hand.

Trezor also responded to the video demo and tweeted:

Please keep in mind that this is a physical vulnerability. An attacker would need physical access to your device, specifically to the board — breaking the case. If you have physical control over your Trezor, you can keep on using it, and this vulnerability is not a threat to you.

The Ledger Wallet team headquartered in France also responded to Wallet Fail’s accusations. According to Ledger, the Wallet Fail team presented a total of three attack vectors which had given the audience the impression of “critical vulnerabilities.” However, the Ledger developers state that “this is not the case” and users should not worry about securing assets on Ledger devices.

“In particular they did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure,” detailed the Ledger team’s blog post on Friday.

Ledger continued:

[Our] responsible disclosure is the best practice to follow in order to protect the end users while improving our products’ security.

Hardware Wallet Manufacturers’ Uphill Battle

This isn’t the first time hardware wallet manufacturers have had to deal with wallet hackers who claim they can compromise any device. Back in the Summer of 2017 at Def Con 25 in Las Vegas, attendees saw an exhibit which allegedly disclosed vulnerabilities in popular cryptocurrency hardware wallets. Last March a teenager told Ars Technica he created code that could find a “backdoor” in Ledger devices. However, again Ledger Wallet told the public that 15-year-old Saleem Rashid’s published post on certain vectors was “not critical” and the attacks “cannot extract the private keys or the seed.”

As usual, most of the vulnerabilities have been taken with a grain of salt because a great majority of attacks shown over the years require stealing the physical device itself and remote attacks still seem implausible. The companies who responded to Wallet Fail’s recent demo stressed that people should use a secondary passphrase. A few cryptocurrency veterans also stressed on social media the importance of using a PIN with hardware devices.

What do you think about the alleged hardware wallet vulnerabilities presented at the Annual Chaos Communication Congress? Let us know what you think about this subject in the comments section below.

Images via Wallet Fail’s slide show, 35C3, Shutterstock, and Pixabay.

Need to calculate your bitcoin holdings? Check our tools section.

The post These Developers Claim They Can Crack Any Hardware Wallet appeared first on Bitcoin News.

Trezor to Implement Cashaddr for Bitcoin Cash Addresses

After seeming to be outright hostile to incorporating Cashaddr, a way to distinguish easily between bitcoin core and bitcoin cash addresses, popular hardware cold storage wallet company Trezor confirmed its integration is on the way.

Also read: Crypto History Part 1: 400 Million Billion Billion, Beer, and a Murderous Plot

Cold Storage Wallet Maker Trezor to Integrate Cashaddr for BCH

Twitter bitcoin cash advocate, Jason Elliott, began tweeting to hardware, cold storage wallet makers as to when their users could expect integration of Cashaddr, a bitcoin cash (BCH) ecosystem adopted standard for addresses to help limit confusion. Within the thread, Bach N. of Trezor responded, affirming Cashaddr to be in development for Trezor. His response came complete with a Github link, which appeared to confirm the tweet.

The Github leads to a Trezor MCU started the beginning of this year. Jochen Hoenicke is the developer/author of Cashaddr #285. It has three commits, and includes Satoshi Labs’ Pavol Rusnak as a repository participant. Though it stops at the end of February, the most detail comes around the middle of that month.

“This needs to be done outside the firmware for cashaddr support,” Mr. Hoenicke explains, “Webwallet: compute cashaddr addresses from xpub. Note that only the last step from hashed public key to address needs to be changed. The webwallet checks that the address the Trezor returns is as expected. This check should also allow 1.. addresses so that it works with older firmware (so we don’t have to deploy both at the same time); allow cashaddr as send to address. The firmware supports both and both use SPENDADDRESS. The only difference is the confirmation message given to the user; the transaction format did not change at all.”

If true, it’s an interesting turn of events in the mini-drama surrounding the issue. Summer of last year, just prior to the fork creating bitcoin cash, it was Mr. Rusnak who warned through Github, “I suggest to change the address version to something different, so it is obvious the address is a Bitcoin Cash address. (It can start with C for example). Don’t forget to change also address version for P2SH!” It would turn out to be fateful advice, advice that, for whatever reason, was not initially followed.

Ideology Aside, Trezor Usually Yields to Customers

Recognized as a lead developer of bitcoin cash, Amaury Séchet (otherwise known as deadalnix), responded to Mr. Rusnak’s warning, “Agreed. I have a plan to change the address format. Changing the address format is expensive, so I would like to investigate various other option than just changing the prefix before settling on something. I would also have to convince other in the space that this is a good address format,” and eventually Cashaddr became that option.

Trezor, as soon as two weeks ago, responded to long time Reddit user u/normal_rc on the popular bitcoin cash forum, r/btc, about how the company was just outright refusing to add the address change. In response, the Trezor cofounder tweeted “This mess was made by bad architectural decision of [BCH] team. We warned them, they knew about the issues and they decided to ignore it. I refuse any responsibility for it. Cashaddr support is in standard development process and it’ll be ready when done.”

Though it reads as hostile, it does leave the door open to eventual implementation. Combined with the even more recent acknowledgment and Github activity, bitcoin cash users continue to have reasons to be hopeful about the coin’s future prospects.

Do you support Trezor’s eventual move to accommodate BCH addresses? Let us know in the comments!

Images via Pixabay, Trezor.

At news.Bitcoin.com we do not censor any comment content based on politics or personal opinions. So, please be patient. Your comment will be published.

The post Trezor to Implement Bitcoin Cash Addresses appeared first on Bitcoin News.