Your Trezor private keys could be revealed by a security error

In only  15 seconds  a Trezor device can be hacked and all the information contained can be extracted through a security error that was not detected in time.  
Trezor devices were designed by SatoshiLabs as a solution that provides an isolated offline environment. But the discovery of a chip error could cause its users to lose all their crypto. 

The vulnerability of the device was made public by the user  Doshay Zero404Cool , through Medium. The document details how the possible failures of Trezor's hardwallet (or  cold wallet ) were revealed.  
During the hacking conference called  Def Con 25 , held in late July, he described how attacks on the Trezor device are possible because they are using a chip that does not offer security.  
The  ST32F05 chip  was designed by STMicroelectronics. The vulnerability of the chip represents a serious design flaw and this implies that Trezor can not replace all existing hardware. The vulnerability could be extended to  Keepkey  and Trezor v2, which will be released soon because they use similar chips. 
The error allows  the  seed  of 24 words, the PIN code and the device label can be  extraí two , which could make an exact copy of the device. The theft of the device would allow a hacker, according to the procedure described by Doshay Zero404Cool, to perpetrate the removal of cryptones in only 15 seconds. 
In addition, a hacker could check your balance or even restore the device to its original state. But  how is this possible? The answer comes from the hardware design. When connecting Trezor to a power source, without connecting any PIN code or even connecting the device to a website, the Trezor firmware fills the SRAM memory with  all the secret information of the user . This also occurs during firmware update of the device.  The firmware is an instruction block that controls the circuits of a device.


SatoshiLabs, a company based in Prague, designed a  security patch  to resolve the error generated by the firmware. The security patch, according to SatoshiLabs offers a solution to the error of all devices with a firmware version prior to the update 1.5.2. 
In the statement that SatoshiLabs issued, it is stated that the update that solves the error was already released for Trezor users, who should only have their seed on hand before carrying out the process. 
They also assert that the error was found by an "individual investigator" through their Declaration of Responsibility. Subsequently, a group of users, along with  Jochen Hoenicke,  offered a proven method to repair the firmware error. The statement reads: 
It is important to note that this is not a remote execution attack. To exploit this issue, an attacker would need physical access to a device TREZOR dismantled  with  the electronic components  foundIt is impossible to do this without destroying the plastic box. 
Doshay Zero404Cool argues that it is not necessary, according to its "trick", to open the device to take advantage  of the hardware failure. 
SatoshiLabs offered its clients  a detailed report of the problem in the coming days . In principle, the update will be optional, once the report is issued, the update will be mandatory. 
SatoshiLabs ensures that the 1.5.2 update removes the error and  prevents a possible hacker, who already owns the seed code  of any user can extract the  criptoactivos  the device  Trezor .  
It should be noted that there are many types of  security failures , such as dripping information. However, it should be noted that in this case the Trezor security experts have been able to recognize the problem in time. 

No comments

Powered by Blogger.