KeepKey, the hardware wallet manufacturers, have hit back at a recent investigation by Kraken’s security team that revealed the ability to extract seed keys from the devices in around 15 minutes. The wallet maker noted that discovery of the flaw was nothing new, having been discovered earlier in the year and a response issued, and that it was no more or less vulnerable than all other hardware wallets.
Kraken Security Labs has found a way to extract seeds from a KeepKey cryptocurrency hardware wallet. Full story here:https://t.co/iPMKNhG2Jg
— Kraken Exchange (@krakenfx) December 10, 2019
A Little Time and a Little Money and You’re In
Kraken raised the security issue in a blog post on Tuesday, claiming that it would take a hacker 15 minutes and $75 to extract a KeepKey hardware wallet seed phrase, using limitations of the hardware present in the device. A prospective hacker would first have to obtain physical control of the device and could then employ the use of a “consumer-friendly glitching device” which Kraken say can be achieved for around $75 to extract the seed key, which is encrypted and protected by a 1-9 digit pin. However, Kraken state that it is “trivial” to crack this code with a ‘brute force’ attack. Once this has been achieved, the hacker can move the funds inside at will.
“Inherent Flaws” in KeepKey Hardware
The ability to hack into the wallet is, Kraken say, due to “inherent flaws” within the microcontroller inside the device, meaning that until KeepKey decides to physically remodel the device existing users will always be at risk, as will new customers. KeepKey responded to Kraken’s claims by pointing concerned users in the direction of two blog posts written by ShapeShift, who acquired KeepKey in 2017, written months ago addressing the issue:
— KeepKey (@cryptokeepkey) December 10, 2019
In the posts, ShapeShift don’t deny that the hardware wallet cannot be hacked, instead taking a different approach:
If somebody else has physical access to your device — as well as the time, skill, and tools necessary — they will always be able to command the device to do whatever they want, bypassing any digital lock that exists. Again, this is true of any hardware wallet.
This sentiment was proved back in 2018 when a security team outlined ways in which determined hackers could compromise Ledger and Trezor devices, meaning that not one of the top brands is immune to hacks. The following advice given by ShapeShift is therefore sound, and should be followed:
ShapeShift recommends that you secure your device with the same caution you would with other investments or valuables. Protect your KeepKey like it could be stolen tomorrow.