Are the makers kidding?
link on german website, below google translated:
Also on his Bitcoin purse you have to be careful
Crypto Wallet vendors promise Bitcoins to be stowed away safely. If they are not, then security researchers showed up at the Chaos Computer Club congress.
Bitcoin’s course has suffered a bit lately. But that does not mean that Bitcoin and other blockchain-based currencies are not always worth a lot of money. Therefore, it is still a good idea to keep them as safe as possible. There are specially encrypted USB sticks, so-called crypto-wallets, electronic wallets.
There is only one problem with them, as Thomas Roth and two other security researchers have just demonstrated at the 35th Congress of the Chaos Computer Club in Leipzig: the three attacked the most common crypto-wallets - and cracked them. Or, as Roth and his colleagues Josh Datko and Dmitry Nedospasov describe on a hacked website, “Poof goes your crypto …” (“Puff, and gone is your encryption / cryptocurrency …”)
How exactly they did that is a bit complicated, because after all they are not normal USB sticks, which are sold there for 70 to 200 euros as a particularly secure repository of bitcoin and other crypto currencies. If the following is too technical, at least one thing should be remembered: as an owner to take care of the corresponding stick always very well. “If you give it away, it’s over,” says Nedospasov.
However, the small data stores are all marketed with the promise that no-one will ever get access to the Bitcoin if they lose their memory. Encryption, password protection and PIN codes should prevent this. But Roth, Datko and Nedospasov have looked at three devices from the two main manufacturers Ledger and Trezor and were able to take all three completely apart. What’s more, they also said in their talk that some of the safety promises are downright negligent.
Hacker tool hair dryer
Trezor, for example, is shipping his wallet called Trezor One in a package sealed with a holographic sticker. The undamaged sticker should show the customer that no one has played around with the device. Datko has ordered such holographic seal stickers via the Internet inexpensively from a printing company. He opened the glued box of the packaging with the hot air from the hairdryer of his hotel room. “Stickers do not work as a security feature,” says Datko.
But that was just the prelude. The Trezor One is probably the most widely used stick for storing cryptocurrencies. For security reasons, the chip on it is programmed in such a way that its content can not simply be read out. For example, he does not permit the use of a so-called debugger, a troubleshooting tool. But by creating a glitch in the chip, a kind of hiccup, Roth and his two colleagues could flank such a debugger.
The security researchers had to have access to the Trezor for the attack. They connected him to his normal power supply via USB, but during the startup of the Trezor they broke the power supply at the right time for a tiny moment. This allowed them to outsmart the chip’s internal verification process and put it under a manipulated version of the on-chip software. It took weeks to find the right time, but the three discovered more problems. Ultimately, they succeeded, which should never happen: they could read the secret password, called Seed, unencrypted in plain text.
This attack method is a bit complicated, so they built a device to crack any trezor. Now they just have to pry up the plastic cover, solder the chip out of the Trezor, put in their glitcher called hacker tool - then they can read the password and come to the saved on the Trezor Bitcoin.
If the wallet is suddenly remotely controllable
Roth, Datko and Nedospasov are not the first to discover security holes in crypto-wallets. Last year, for example, the US tech magazine Wired published a text by Mark Frauenfelder in which the described a personal problem with his own Trezor One: Frauenfelder had forgotten the password for his wallet and no longer came to his bitcoin worth $ 30,000 approach. He was helped by a young hacker who was able to fill a gap in the device’s software.
But the current attack by Roth, Datko and Nedospasov is more comprehensive than that described by Frauenfelder. At that time, the manufacturer quickly replaced the software with a new version. Roth and his colleagues go directly to the chip and pry out all its security barriers.
The hack of Blue called, 200 euro expensive crypto wallet of the French manufacturer Ledger needed no such great effort. From a distance of several meters, Roth, Datko and Nedospasov can use an antenna to record the signals that come when someone enters their secret PIN into the device - and so the security researchers can finally read the PIN.
The cause is a design error. The trace between the main controller and the security chip is unusually long. He noticed that immediately when he opened the case, says Roth. Because a long line also means a greater possibility of unintentionally transmitting radiation, since every electrical pulse in a line also emits electromagnetic radiation. The Ledger Blue generates the signals in the radio spectrum around 169 megahertz from the component that controls the screen. If the user presses a number of his PIN on the touchscreen, a specific signal pattern is created. If you pick up the signal, you can see which PIN has been entered on the screen.
These signals are tiny, but fortunately, the device comes with a very good antenna, which makes these signals amplified and measurable, says Roth: “the USB cable to the power supply”. From at least three meters he and his colleagues could measure with more than 90 percent certainty, which number was entered. An attacker would then only have to steal the device and could come to the content.
The third popular crypto wallet, the Ledger Nano S, also has a hardware problem. The device has two chips: a specially secured, which can not be easily controlled from the outside, and a normal one, which handles the communication with the display and with the security chip. The Nano S costs 70 euros and advertises with state-of-the-art security: the secured chip guarantees “optimal security”, it says on the manufacturer’s website. But the weak point is the normal chip.
What’s the use of the most beautiful security chip …
This has been known for some time, says Roth. Ledger used it anyway. Again, the three security researchers found several targets. They could take over the device completely and even play his own software - the mobile game Snake. Something like that should not be possible, as it means that the chip will not notice when manipulated.
Ultimately, Roth, Datko and Nedospasov were able to control the Ledger Nano S remotely. If you get one in your hand, you can solder in a few simple steps a tiny chip on which a wire hangs as an antenna. If the actual owner then uses his crypto-wallet, the security researchers can use the antenna to transmit commands to their spy chip by radio and thus transfer Bitcoin without the owner noticing. Twice already, he and his colleagues pointed out the manufacturer Ledger to problems they would have found, says Roth. The reaction had been different than they had expected: Ledger had sealed off, but so far nothing changed.
Crypto-Wallets do justice to their name in a way that was previously only vaguely feared: they obviously have to take care of them just as well as a normal wallet with cash in them. Although the manufacturers promise something different.