Kraken: $75 Device Will Get You Into Crypto Hardware Wallet KeepKey

Kraken Security Labs said crypto hardware wallet KeepKey is not doing enough to protect customers from physical attacks, saying it was able to get into the system using a $75 device.

AccessTimeIconDec 11, 2019 at 7:48 p.m. UTC
Updated Sep 13, 2021 at 11:48 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Kraken Security Lab said crypto hardware wallet KeepKey is not doing enough to protect customers from physical attacks, saying it was able to get into the system using a $75 device. 

“All that is required is physical access to the wallet for about 15 minutes,” the firm said in a blog post on Tuesday. 

Kraken Security Lab said KeepKey is already aware of similar physical attacks, but seems to be focusing more on protecting users’ keys from remote attacks, citing a statement from KeepKey’s parent Shapeshift on June 13. 

The attacks can extract seeds that could help users restore and backup their wallets from a voltage glitching device costing roughly $75. 

However, Michael Perklin, chief information security officer of Shapeshift, said Kraken Security’s statement is misleading, according to a statement received by CoinDesk. The crypto exchange acquired hardware wallet startup KeepKey for an undisclosed amount in August 2017 to develop its technology and security for its crypto holders. 

“Not only does this attack require physical possession of the device, it would require significant preparation and expertise, as well as specialized equipment,” Perklin said. 

“The cost is possible only if the person had an extremely sophisticated understanding of what was needed,” he added. “The average person would not have the education about hardware design or computer science to go pick out parts for $75 and successfully assemble a tool to use for this type of attack.” 

Kraken Security Lab said in its blog post that while physical attacks are difficult to defend against, it found Keepkey’s focus on remote attacks “potentially out of line with the branding of [its] product.”  

Perklin responded that KeepKey took measures to protect its users from potential physical attacks before Kraken notified it. 

“We recommend our users use BIP39 passphrases that add an extra layer of security,” Perklin said. “The process is relatively easy and we provided step-by-step instructions on how to set up BIP39 in the June 13 statement.” 

One of the reasons such physical attacks are difficult to prevent is KeepKey has to redesign its hardware. In particular, Kraken Security Lab claims, the wallet needs to change the microcontroller because of “inherent flaws” that could be used by hackers. 

“It is important to understand that if you physically lose your KeepKey, this vulnerability could be used to access your crypto,” according to the blog post. 

“It’s much like a door lock analogy. You can change the locks on your door as often as you want, but someone with enough time and expertise can always pick the lock,” Perklin responded. 

“Redesigning KeepKey, or using a different microcontroller, might slow down an attacker if they have the physical device, but it will not stop them if they are determined, skilled and have enough time to break in,” he added. 

Kraken Security Lab said it disclosed the full details of this threat of attack to KeepKey on Sept. 11 and is going public now so the crypto community can protect itself. Shapeshift confirmed it received the information and had asked its users to use the BIP39 passphrase before that time.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.