Cybersecurity researchers have disclosed a glaring vulnerability in the KeepKey cryptocurrency hardware wallet that allows physical attackers to steal funds in just 15 minutes.

Kraken Security Labs’ latest blog details a “voltage glitching” attack that extracts the encrypted seed used to access cryptocurrency stored on the device.

An attacker can then brute force the encrypted seed, as it is simply protected by a 1-9 digit PIN, which the firm described as “trivial.”

Screenshot courtesy of Kraken Security Labs

Worse still, researchers warn that fixing this flaw is no easy feat  the KeepKey team reportedly can’t do anything about it without redesigning the hardware.

“The attack takes advantage of inherent flaws within the micro-controller that is used in the KeepKey,” said Kraken Security Labs.

KeepKey wallets are sold by cryptocurrency exchange platform ShapeShift.

KeepKey apparently needs to be completely redesigned

“Voltage glitching” refers to maliciously controlling the power supply of a micro-controller, which in this case belongs to the cryptocurrency wallet itself. The firm estimates that a consumer-friendly “glitching device” could be created for around $75.

These attacks target the first piece of software executed by the wallet when it loads. In KeepKey’s case, this is referred to as “BootROM code.”

Kraken Security Labs notes this particular attack cannot be reliably stopped by any measures put in place by the vendor’s firmware.

“Although much of the original KeepKey codebase is based on the Trezor One, their codebases have diverged. The KeepKey team added several mitigation mechanisms to make the KeepKey firmware resilient to the glitching attacks demonstrated during the Wallet.Fail talk at 35th Chaos Communications Congress; however, these were proven to be ineffective,” reads a technical explanation of the attack.

Is this really the most secure way?

“The specific glitch used against the KeepKey was based on the Wallet.Fail and Chip.Fail talk at Blackhat USA 2019. Most importantly, this research demonstrates that the security of a wallet like the KeepKey should not solely be based on the security of the STM32F205 micro-controller,” it adds.

Put simply: this vulnerability is “inherent” to the KeepKey hardware itself, and it cannot be patched. The firm warns the underlying hardware needs to be replaced with a new revision to keep it safe from physical attacks.

What do to if you use a KeepKey cryptocurrency wallet

It might sound obvious, but the firm warns those using KeepKey cryptocurrency wallets shouldn’t allow physical access to their devices to ensure their funds are safe.

Researchers then highlight that KeepKey is already aware of similar attacks, but that it has previously claimed that “KeepKey’s job is to protect your keys against remote attacks,” rather than physical ones.

“While physical attacks are certainly difficult to defend against, we find this stance to be potentially out of line with the branding of their product as ‘The Next Frontier of Crypto Security,’” said Kraken Security Labs.

The researchers then noted that they disclosed the full details of this attack to KeepKey on September 11 of this year.

“It is important to understand that if you physically lose your KeepKey this vulnerability could be used to access your crypto[currency],” they noted.

Hard Fork has reached out to KeepKey to learn more about how it plans to respond to this latest vulnerability, and will update this piece should we receive a reply.

Published December 10, 2019 — 16:09 UTC