Asked To Please Restore Account, Kingpin Instead Find Weaknesses Trezor One Wallet
JAKARTA – A computer engineer and hardware hacker has revealed how he has managed to crack the Trezor One hardware wallet, which contains more than US$2 million in funds.
Joe Grand, a computer expert based in Portland and also known as the hacker nicknamed, Kingpin, - posted a video on Youtube explaining how he carried out the clever hack.
After deciding to cash in on an initial investment of approximately US$50,000 in Theta in 2018, Dan Reich, a NYC-based entrepreneur, and his friend realized they had lost the security PIN to Trezor One where the tokens were stored.
After unsuccessfully trying to guess the security PIN 12 times, they decided to exit before the wallet auto-deleted itself after 16 wrong guesses.
But with their investment growing to $2 million this year, they are redoubling their efforts to access the fund. Without their seed phrases or wallet PINs, the only way to retrieve tokens is through hacking.
They contacted Grand who spent 12 weeks of trial and error but eventually found a way to recover the lost PIN.
The key to this hack is that during a firmware update, the Trezor One wallet temporarily moves the PIN and keys to RAM, only to then move them back to flash once the firmware is installed.
Grand discovered that in the firmware version installed on the Reich wallet, this information is not transferred but copied to RAM, which means that if the hack fails and the RAM is deleted, information about PINs and keys will still be stored in flash.
After using a fault injection attack — a technique that converts voltage to the chip — Grand was able to go beyond the security that the microcontroller had to prevent hackers from reading RAM, and obtaining the PINs needed to access wallets and funds.
“We are basically causing bad behavior on the silicon chip inside the device to beat security. And what ended up happening is I'm sitting here watching a computer screen and seeing that I can beat security, personal information, recovery seeds, and the pins I was looking for appear on the screen," Grand said as quoted by Cointelegraph.
According to a recent tweet from Trezor, this vulnerability, which allows pins to be read from wallet RAM, is an older one that has been fixed for newer devices. But unless changes are made to the microcontroller, error injection attacks can still pose a risk.