
Critical flaw in Trezor hardware wallets - menduz
https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
======
Ardren
The original response about these type of issues [1] rubs me the wrong way

In particular this statement:

> That being said, we were surprised by Ledger’s announcement of this issue,
> especially after being explicitly asked by Ledger not to publicize the
> issue, due to possible implications for the whole microchip industry, beyond
> hardware wallets, such as the medical and automotive industries.

As I understand they are using a standard STM32 chip for these wallets, and
relying on it's basic protection. Companies make real processes designed for
securely storing data, why aren't they using them? Instead they are suggesting
that there is no alternative and everyone is vulnerable to this style of
attack.

Edit: I missed some of the backstory. They don't mention that option as their
competitor (who found the security issues) already uses a secure element, like
a sane person.

[1] - [https://blog.trezor.io/our-response-to-ledgers-
mitbitcoinexp...](https://blog.trezor.io/our-response-to-ledgers-
mitbitcoinexpo-findings-194f1b0a97d4)

~~~
mistahenry
To me, this is full admission of a complete lack of security competency.
Building a hardware wallet without using a smart card or some other secure
element that at least has mitigation’s against voltage/clock glitching,
detects light, reduces the ability to measure power consumption, etc is
negligent.

Either they don’t know how to design secure solutions or they wanted to use
cheaper chips since tamper resistant chips cost more. Neither is a good look

~~~
logicallee
As most on HN know, if anyone has physical access it's game over - so when I
read "critical flaw" in the title to me that meant remote key extraction (or
similar remote flaw), and since there's nothing remote about this I consider
it a clickbait article. No, what has been written up is not "critical".

physical in-person key extraction after literally opening up a piece of
hardware and glitching its exposed innards isn't a "critical flaw". it's
baseline expectation.

I would rate the issue raised in the article as "not a bug, won't-fix." with
the explanation that "Physical key extraction will always be possible
regardless of anything we do."

or are people here claiming that their "better" competitors (who are using
"better" hardware, more "correctly") are immune from physical attacks?

EDIT: I am keeping this even if it gets voted to -4. I don't believe a
physical, local (in person) glitching attack on the innards of a device, which
requires physical access and opening it, constitutes a "critical"
vulnerability on a hardware cryptographic device.

~~~
mistahenry
IMO there's a huge difference between invasive and non-invasive attacks. I
would expect something that bills itself as "The safe place for your coins" to
require a bit more effort, know-how, and tools to read out my keys than "a
couple hundred dollars of equipment" and a python program.

> if anyone has physical access it's game over

It's actually not when you use a series of common defenses that wipe the chip
when tampering is detected. Of course it's still possible to determine the
private keys via perfectly executed microprobing...but there's a huge
difference here. Invasive attacks require significant time in very expensive
laboratories per attack, which very well may fail.

Let's say managed to steal my wallet which leverages a secure element with
tampering protection. If you're unaware that voltage/clock glitching will wipe
the device, you may try and then you've lost. But let's say you're aware so
you want to go the microprobing route. Do you have the necessary lasers and
acids to get directly to the circuitry you want to read out without
accidentally compromising the integrity of the top-layer sensor meshes? Do you
possess a focused ion beam station (only costs ~500k USD)? By using this mesh
I've made the extraction significantly more tedious and requiring far higher
levels of precision for you. You've got my smart card, but I wouldn't call it
"Game Over" by any means. Maybe in this amount of time I figured out that my
wallet is missing.

This attack here on the Tresor, though, requires physical access but can be
automated. Here, physical access really is game over. I would rate this issue
as "Trezor shows themselves to be an inferior solution, will not use to store
my keys"

Read here if you want to see more on techniques for readout and known
countermeasures.
[https://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf](https://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf)

~~~
logicallee
Interesting comment, thanks. What would you say about my other question: how
good are tamper evident seals - for example would a tamper evident seal on the
enclosure show visually whether it has been opened (for example to exploit the
flaw this article is about), or are tamper evident seals easy to get around or
re-apply undetected?

~~~
tgsovlerkhgsel
Depends on the seal; most are not particularly strong and the rest require
thorough and well-designed inspection procedures.

------
rdl
Trezor is designed to protect against remote/logical attacks (including a
compromised host). It isn't really hardware protected in any meaningful way
against local access. This lets users inspect/validate their own hardware
better, though.

The issue is most users (reasonably, IMO) assume physical protection for their
hardware wallets, at least against someone getting temporary access and
without insane levels of resources. That is fairly safe using a Ledger today
(barring an undisclosed vuln); that's why I think the Ledgers are somewhat
better.

~~~
sneak
I think people in practice buy these and use them thinking that they are
secure against physical theft because of “encryption” and requiring a pin.

This shows that assumption to be totally false.

~~~
literallycancer
The attack doesn't work if you are using a passphrase. I'm not sure why they
let people use a PIN in the first place, but you should never be using PIN
instead of a passphrase.

------
londons_explore
Why don't all silicon chips have glitch and overvoltage detection?

It would seem very easy to put a pair of fets in such a way they detected
sudden voltage changes (via their gate capacitance). That could then be used
as an input to a circuit which ensured the chip is properly reset by asserting
the reset line for at least 1 clock cycle.

This should probably be paired with brown-out detection, although that's power
hungry, so I can see why people might not want it.

This wouldn't only have security benefits - lots of electronic designs might
be accidentally glitching their microcontrollers due to poor design of other
circuits, and having the chip reset in a predictable way is much better than
undefined behaviour.

~~~
pjc50
Brownout detection is definitely one of those things to turn off for low-power
operation. I suspect glitch detection is harder than it sounds, too.

------
nnx
Nothing in this flaw is a surprise considering Trezor does not even use a
secure element (unlike Ledger).

~~~
pat2man
It’s surprising considering how cheap SIM card chips are. It’s not hard to do
secure elements these days, at least at scale.

~~~
Nextgrid
Have SIM cards actually been tested against these vulnerabilities? The payoff
per card cracked is much lower than with crypto wallets so maybe there’s just
no point trying these attacks?

------
thinkloop
Some lucky people will be able to restore lost crypto.

~~~
FatalLogic
That really has happened. A legit owner used an old vulnerability to rescue
$30,000 from a Trezor wallet when he forgot the pin.

[https://www.wired.com/story/i-forgot-my-pin-an-epic-tale-
of-...](https://www.wired.com/story/i-forgot-my-pin-an-epic-tale-of-losing-
dollar30000-in-bitcoin)

Luckily he hadn't updated the firmware so the vulnerability wasn't patched on
his device, but despite that, it took a long time and was not easy. But like
this newer vulnerability, it would almost be impossible if he had also used a
strong passphrase, as Trezor recommends.

------
rohanagarwal94
Every wallet is physically hackable, that is why we are building Cypherock
where we introduce a second variable that is locations using Shamir Secret
Sharing on the private keys. I would love to have the opinion from the
community on it - [https://cypherock.com](https://cypherock.com).

------
paulpauper
This may seem bad but how many people have lost crypto because of this? You
are more likely to have your crpto stolen when transferring crypto to your
trezor when setting it up.

------
tmlee
No hardware can protect itself from absolute physical compromise; perhaps a
self-fuse burner when somebody tries to open it

~~~
tzumby
Banks store private keys for their ATMs in hardware security modules (HSM) and
there are lots of crypto exchanges that started doing that. One of the
features is private keys self destruct when tampering is detected. If you have
a backup you’ll be able to recover the private key. While I agree that Trezor
wasn’t designed with this in mind, I think it’s a good idea to include this
feature. Not sure about the size requirements for that though, it might make
the device significantly bigger.

~~~
wbl
At this years RWC someone fuzzed the software on the HSM. Keys came out.

~~~
tzumby
Thanks for sharing this, I had to google RWC. For others that don’t know the
acronym: [https://rwc.iacr.org](https://rwc.iacr.org)

