Kraken: Keepkey Crypto Hardware Wallet Has an Alarming Flaw
Crypto practitioners who depend on Keepkey hardware wallets to store their coins ought to take a pledge of not discussing it in public.
Kraken Warns Crypto Users
The warning appears on Kraken’s latest blog post wherein it discusses a serious flaw in all of the Keepkey hardware wallets. The US exchange’s security research wing claims that it has found a way to hack seeds from Keepkey wallets. In retrospective, a seed phrase is a string of random words that allows owners to recover their cryptocurrency wallets. That said, anybody with access to seeds could gain access to cryptocurrency funds stored on a wallet.
Kraken found that Keepkey devices have an issue related to their microcontrollers. The exchange noted that people with physical access to victims’ crypto wallets could use specialized hardware to read their encrypted seeds. For that, the attacker would also need to crack the wallets’ pin code through brute force.
The issue now resides in each one of the Keepkey wallets in circulation. The company cannot solve it until it decides to replace them all with patched devices.
“This,” wrote Kraken, “unfortunately means that it is difficult for the KeepKey team to do anything about this vulnerability without a hardware redesign.”
Not a New Problem
Keepkey rubbished Kraken’s findings based on its lack of relevance. The firm shared two articles discussing the same issue. One of them was penned by ShapeShift, which supports Keepkey as its premier wallet on its crypto-to-crypto exchange. The trading platform had written in June that Keepkey can protect clients’ funds from the most common attack vectors, such as viruses, malware, or remote hackers trying to steal private keys. Nevertheless, the firm is as helpless as any other wallet company when it comes to protecting clients’ devices from physical attacks.
“If somebody else has physical access to your device — as well as the time, skill, and tools necessary — they will always be able to command the device to do whatever they want, bypassing any digital lock that exists,” wrote ShapeShift. “Again, this is true of any hardware wallet.”
— KeepKey (@cryptokeepkey) December 10, 2019
Keepkey rival, Ledger, had responded similarly to a malware issue affecting its Nano S wallets back in 2018. After DocDroid reported that attackers could game the Ledger software by replacing the copied receiver addresses with its own, the firm had responded by saying that the issue was universal. Excerpts:
Malware can always change what you see on your computer screen. The only solution is prevention and building a UX to make the user check on its device. The on-device verification feature has been added [six] month ago already.
Solution: Use Complex Passphrases
Charles Guillemet, the chief security officer at Ledger, demonstrated that hackers could guess Keepkey’s wallets’ passphrase in less than a minute by applying different combinations. Kraken reiterated the same evidence in its blog post, leading ShapeShift to write an eleven-step manual to fix the said problem.
Guillemet recommends using passphrases comprised of at least 32 digits made up of a unique combination of numbers, symbols, as well as upper and lower-case letters…With a sufficiently-long passphrase, if an attacker takes the data off your device, they’ll never be able to unlock it. Your PIN and your passphrase keep your funds — safe.
Overall, the issue reminded what doomsday economist Nouriel Roubini had complained about cryptocurrencies. He had noted that anybody with a gun can steal private keys of wallets holding multi-million dollars worth of bitcoin. More so, there was no way for the victim to get the stolen funds back since crypto transactions are irreversible.
By Q3 2019, the cryptocurrency industry lost about $4.4 billion to frauds and thefts, noted CipherTrace in its report. As of June, the amount was $1.1 billion.
What do you think of Kraken’s findings? Add your thoughts below!
Images via Shutterstock, Twitter @cryptokeepkey