Crypto hardware wallet provider OneKey says it has already addressed a firmware vulnerability that could allow one of its hardware wallets to be hacked in less than a second.
February 10, YouTube video Posted Cybersecurity startup Unciphered has revealed that it has found a way to exploit a “critical critical vulnerability” to “crack open” the OneKey Mini.
According to Unciphered partner Eric Michaud, they were able to put the OneKey Mini back in “factory mode” and bypass the security pin by disassembling the device and inserting the coding. wallet.
“There is a CPU and a secure element. The secure element is where you keep your cryptographic keys. Today, communication is typically encrypted between the CPU and the secure element where processing takes place,” Michaud explained.
“In this case, it turns out it wasn’t designed to do that, so you can put a tool in the middle that monitors and intercepts communications and injects your own commands,” he said. , added:
“We told the Secure Element that we were in factory mode so we could retrieve the mnemonic, which is encrypted money.”
However, in a February 10 statement, OneKey already handle The security flaws identified by Unciphered are that the company’s hardware team updated security patches “earlier this year,” but that “no one was affected,” and that “all disclosed vulnerabilities has been or has been amended.”
Responding to recent security fix reports https://t.co/Dp9nNp1D0U
— OneKey Open Source Wallet (@OneKeyHQ) February 10, 2023
“However, with password phrases and basic security practices, even the physical attacks disclosed by Unciphered will not affect OneKey users.”
The company further notes that while the vulnerability is a concern, the attack vectors identified by Unciphered cannot be used remotely and “can be taken apart and physically accessed and executed in the lab via a dedicated FPGA device. I emphasized that it is necessary to
OneKey revealed in its interactions with Unciphered that other wallets were found to have similar problems.
“We also paid an Unciphered Bounty to thank OneKey for their contributions to security,” OneKey said.
Related: ‘It’s haunting me to this day’ — Crypto project hacked in hotel lobby for $4 million
In a blog post, OneKey said it has already gone to great lengths to ensure user security, including protecting users from supply chain attacks, where hackers replace genuine wallets with user-controlled ones. says.
OneKey’s measures include tamper-proof packaging for shipping and use of Apple’s supply chain service providers to ensure strict supply chain security controls.
In the future, we hope to implement onboard authentication and upgrade our new hardware wallets with higher level security components.
OneKey says the main purpose of hardware wallets has always been to protect users’ money from malware attacks, computer viruses, and other remote dangers, but unfortunately, nothing is 100% secure. I admit nothing.
“If you look at the entire hardware wallet manufacturing process, from silicon crystal to chip code, firmware to software, even if it’s a nuclear weapon, given enough money, time, and resources, you can break the hardware barrier. It is no exaggeration to say that it is possible to control the system.”