Wallet.fail, a Berlin-based security research team, has launched a series of successful physical attacks on popular hardware devices from Trezor and Ledger.
During the presentation at the 35th Chaos Communication Congress in Leipzig, Josh Datko, Dmitry Nedospasov and Thomas Roth successfully demonstrated a series of various attacks on popular hardware wallets Trezor and Ledger.
In particular, some of the exploits demonstrated included the following:
- Getting a PIN and mnemonic phrase from Trezor RAM;
- Signing transactions remotely through compromised Ledger Nano S;
- Interception Ledger Blue PIN;
- Lacking load Ledger Nano S.
In addition, the researchers identified five separate genres of vulnerabilities that can be used during attacks on the hardware wallet, namely:
From here, in the hardware wallets industry, values will most likely re-evaluate. The good news, of course, is that average users will probably never face such attacks, because attackers simply won’t have physical access to devices in most cases.
Commenting on the situation, the CTO in SatoshiLabs, the company responsible for Trezor, wrote on their twitter that they were not informed about the errors in advance, so they learned about them from the stage. He also added that troubleshooting will be done through a firmware update at the end of January.