The 35th Annual Chaos Communication Congress, organized by the legendary European Chaos Computer Club, revealed three self-described low level hardware developers who began their talk with a chilling thought: there really isn’t a lot of effort being placed on cryptocurrency security. During a half year project, Dmitry Nedospasov, founder of Toothless Consulting, and co-creator of Hardware Security Training, along with Thomas Roth and Josh Datko, hacked, broke into, the most popular cold storage hardware wallets on the market. Now they’re telling everyone how to do it, complete with live demonstrations.
Three Guys Break Into Popular Hardware Wallets
At least he said he was sorry to everyone in the room who raised their hand at his question. Nedospasov had asked how many of the assembled audience hold cryptocurrency. He also assured enthusiasts he and his mates love crypto, and they don’t mean to offend anyone.
The hacker ethos is one of endless curiosity, of looking at the world as a giant puzzle to be solved, explored, and to challenge gate holders’ assumptions at power. That spirit of reverse engineering, wishing to find the go of things, was in full evidence during their talk, titled, “Wallet.fail, Poof Goes Your Crypto.”
They started a group chat to initially explore the issue back in Summer of this year, and 50,000 messages and 1,100 images later, the results are pretty startling. For the less inclined, the lecture first outlines the foundation of crypto storage, namely asymmetric cryptography, and Bitcoin Improvement Protocols (BIPs) 32, 44.
Stickers are Not Security
The talk itself was centered around four main attacks on hardware wallets: supply chain attacks, firmware vulnerabilities, well-known side-channel attacks, and even chip-level vulnerability.
Josh Datko took the first attack investigation, supply chains. He was quick to point out the latest manufacturer fad of putting ever-glossy and colorful security stickers on devices in order to assure customers all is well. Uh, no. “Stickers are not security,” Datko insisted. He likes stickers too, but don’t be lulled into complacency.
Products like Trezor come in a box with the requisite sticker, which can act as a false positive due to credulous consumers believing no bad actor has compromised the device if the sticker remains in tact, shiny, pleasant, and official looking. Datko points out the seemingly obvious: such good feeling security measures can be foiled with a simple hair dryer. The dastardly black hat removes your cold storage wallet, does his thievery best, and reinserts the Trezor, in this example, back into the box. Bob’s your uncle, you’ve just been compromised unawares.
If Datko is to be believed, Ledger devices are incredibly easy to open without the end user suspecting much. A few twerks of the inside components, and, poof, the Ledger is reassembled and sent to steal your crypto.
From there, he goes into some pretty creative supply chain attacks, using RF transistor chips, etc., where Datko essentially gains full control of crypto transactions all for a measly $3.00, give or take. It’s actually crazy how much room is left in these devices for hacks such as the physical ones he demonstrates. He seemed to have ample space to really put a lot of hardware inside the Ledger, for example. His remote demo is wild, and has to be seen.
The other presentations are equally compelling and well-worth watching for better cold storage security literacy. Considering how much value some cryptos can accumulate, this would be a great investment of time.
The Good, Bad, Ugly
“The attacks that we perform against the hardware wallets range from breaking the proprietary bootloader protection, to breaking the web interfaces used to interact with wallets, up to physical attacks including glitching to bypass the security implemented in the IC of the wallet,” the team detailed.
What’s wonderful about their work is the breadth of coverage, and how they find systemic, reoccurring problems while providing insight into making cold storage more resilient. “Hardware wallets are becoming increasingly popular and are used to store a significant percentage of the world’s cryptocurrency,” they explain. “Many traders, hedge funds, ICOs and blockchain projects store the entirety of their cryptocurrency on one or very few wallets. This means that users of hardware wallets store tens of millions of euros of cryptocurrency on small USB peripherals that costs only a few euros to manufacture. Moreover, many users that trade and speculate in cryptocurrency interact, update, and generate transactions using their hardware wallets on a daily basis.”
The three look at the ugly, good, and bad within the industry, and walk through wallet architectures popular today. It’s hacking at its very best, and the broader ecosystem could use such doses of reality in metric tons of cold water.
CONTINUE THE SPICE and check out our piping hot YouTube channel. Our podcast, Milk, might help sooth that crypto burn. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.