The KeepKey cryptocurrency hardware wallet can allegedly be compromised in only 15 minutes if hackers have physical access to it, according to cybersecurity researchers with Kraken Security Labs.
In a blog post, Kraken Security Labs details that through a “voltage glitching” attack that extracts the encrypted seed used to access crypto stored on a KeepKey device, hackers can brute force the 1-9 digit PIN the user set, which is “trivial to brute force.”
Kraken estimates that a consumer-friendly device that can be used for “voltage glitching” attacks can be created with only $75. These attacks control the power supply of the micro-controller used in the KeepKey wallet itself, to then target the software executed when KeepKey loads, allowing for the brute force to take place later on.
In total, Kraken noted that the attack does require technical knowledge, can be done in about 15 minutes. As it’s an attack on the micro-controller used in KeepKey, Kraken Security Labs notes there’s little the vender, crypto exchange ShapeShift, can do updating its firmware.
Kraken’s post reads:
The attack takes advantage of inherent flaws within the micro-controller that is used in the KeepKey (…) Most importantly, this research demonstrates that the security of a wallet like the KeepKey should not solely be based on the security of the STM32F205 micro-controller.
To stay safe, Kraken Security Labs added that cryptocurrency users should avoid allowing anyone to access their KeepKey devices physically, and to enable their BIP39 passphrases with the KeepKey client, as these aren’t stored on the device and, as such, aren’t vulnerable to the attack.
Kraken Security Labs detailed KeepKey is aware of these types of attacks but has claimed its job is to “protect your keys against remote attacks.” The vulnerability was responsibly disclosed on September 11 of this year, and Kraken is now going public with it to let the crypto community protect itself, the blog post reads.