After cryptocurrency exchange Kraken reported a flaw in hardware wallet KeepKey, the owner of this product, crypto exchange ShapeShift replied that the report is misleading and the attack difficult to carry out.
The story starts on December 10, when Kraken Security Labs published a post alleging that there are inherent flaws within the microcontroller used by KeepKey wallet, which allows seeds from the wallet to be extracted with only c. 15 minutes of physical access to it and c. USD 75-worth DIY consumer-friendly glitching device.
“It’s misleading to claim the device can be hacked in 15 minutes,” replied ShapeShift today. “Executing this attack requires significant preparation and expertise as well as specialized equipment, and assumes physical possession of the device.”
This response was somewhat short, as ShapeShift claims that the Kraken Security Team contacted them with the report in September, but that the company already addressed that issue in detail in June and in August. Speaking of which, KeepKey’s first reply actually came a few hours after Kraken’s statement, referencing these two previous responses. They shared the June post, published as a response to a presentation about extracting seeds from wallets, made by another major player in the hardware wallet industry, Ledger, in which a private key was extracted from KeepKey.
ShapeShift admitted to knowing “about an attack that yields the private key *since* before we acquired KeepKey in 2017,” and went on to describe it. There is a contradiction here between the two posts, as ShapeShift’s post today says “this was an issue we had self-identified in June 2019,” which came after the May 1 report of a vulnerability, which itself was reported in their detailed August post. We have asked ShapeShift for a clarification.
Meanwhile, ShapeShift said in June that, as with any hardware wallet, “this vulnerability is one in which an attacker would need to have physical possession of your KeepKey. KeepKey’s job is to protect your keys against remote attacks.”
All KeepKey’s/ShapeShift’s posts and Kraken’s post agree that to prevent the attack:
- keep others away from your KeepKey;
- enable your BIP39 passphrase with the KeepKey client.
Reactions to either and all of these posts were various: people had a number of suggestions, but also complaints starting with ShapeShifts instructions.
Instructions unclear: uploaded my BIP39 seed phrase to Dropbox, where I reused the same password on literally every other website. Going to sue you now, once I finish screeching. /s
— Rich Sanders [Jan/3➞₿🔑∎] (@Raindropactual) December 11, 2019
I guess people keep falling for sensationalist news. 1) This was announced a long time ago 2)Kraken is a competitor of @ShapeShift_io 3) Hacked in 15 minutes? yes, if you have the hardware and know what the shit you are doing 4) Keep your god damn wallets secured and use pphrase.
— DanielRe (@LeRatton) December 11, 2019
Some say that any device can be compromised and for cheap, and some believe that it’d be very difficult fixing this problem: “Given where the vulnerability lies, they would have to redesign the hardware part, and as they consider their field is only to protect against *remote* attacks,” said a Twitter user.
Others were worried about the security of other major wallets, particularly Trezor, with one person tweeting: “As cryptokeepkey is a Trezor clone, is there anything preventing the same attack on Trezor? I agree with NVK [Rodolfo Novak] that a secure chip is necessary for physical security. But that needs reproduciably built open-source firmware for trust minimization.”