Crypto World Plays Down Trezor ‘Hack’

Reading Time: 2 minutes
  • The crypto world has played down the hack of a Trezor Model T hardware wallet
  • Crypto recovery firm Unciphered managed to extract a seed phrase and PIN from a newly upgraded Model T
  • However, the hack can be mitigated with a strong passphrase

The crypto world has reacted cooly to the claim from crypto recovery company Unciphered that it has hacked the Trezor Model T hardware wallet, with some suspicious of the timing of the hack. Unciphered claimed on Wednesday that it was the first to compromise the hardware wallet with its new firmware, but the community has been almost dismissive of the claims, saying that the vulnerability is easy to protect against while also questioning whether the company has any connections to Ledger, which has endured a week from hell over its botched Ledger Recover launch.

Unciphered Copied Kraken Method

Unciphered revealed on Wednesday that it was able to physically compromise a Trezor Model T wallet upgraded with the most recent software, extracting its seed phrase and pin in the process. The company didn’t reveal exactly how it had achieved the hack, but Trezor responded by saying that the method resembled a similar feat from Kraken Security Labs in 2019 which utilised a Read Protection Downgrade (RPD) Attack.

This type of hack requires physical access to the device and, in the words of Trezor, “extremely sophisticated technological knowledge and advanced equipment,” making it almost impossible for a regular user to achieve. It also pointed out that the use of a strong passphrase was enough to combat the threat, making the risk minimal.

Crypto World Says ‘Meh’

The crypto world wasn’t too unperturbed by Unciphered’s hack, with many pointing to the fact that the attack vector has been discovered before, and that even though it was on a newer firmware the achievement was unremarkable. In fact, to become a victim of this hack would require very strict criteria:

  • No passphrase on the device
  • The device to be physically stolen
  • Institutional-grade equipment in place from the hackers
  • The user to be unaware of the theft for the amount of time required to get the device to the lab for seed and pin extraction

Given that such a gang would only target known high-net-worth holders, the odds of those individuals not having a passphrase on their device is slim to none, rendering the attack extremely unlikely.

Ledger Involved?

The timing of the hack is also suspect, given that it comes in the wake of Ledger’s fiasco over its Ledger Recover program. Trezor secured a leg up in the PR war over Ledger in the wake of the facial launch by promising that its devices will never allow the seed phrase to be shared and even launching a quick-fire online sale to capitalize on the attention.

This has led to some questioning whether Ledger was somehow involved in the hack in an attempt to damage Trezor. If it was, it failed, again.