Kraken Security Lab said crypto hardware wallet KeepKey is not doing enough to protect customers from physical attacks, saying it was able to get into the system using a $75 device.
“All that is required is physical access to the wallet for about 15 minutes,” the firm said in a blog post on Tuesday.
Kraken Security Lab said KeepKey is already aware of similar physical attacks, but seems to be focusing more on protecting users’ keys from remote attacks, citing a statement from KeepKey’s parent Shapeshift on June 13.
The attacks can extract seeds that could help users restore and backup their wallets from a voltage glitching device costing roughly $75.
However, Michael Perklin, chief information security officer of Shapeshift, said Kraken Security’s statement is misleading, according to a statement received by CoinDesk. The crypto exchange acquired hardware wallet startup KeepKey for an undisclosed amount in August 2017 to develop its technology and security for its crypto holders.
“Not only does this attack require physical possession of the device, it would require significant preparation and expertise, as well as specialized equipment,” Perklin said.
“The cost is possible only if the person had an extremely sophisticated understanding of what was needed,” he added. “The average person would not have the education about hardware design or computer science to go pick out parts for $75 and successfully assemble a tool to use for this type of attack.”
Kraken Security Lab said in its blog post that while physical attacks are difficult to defend against, it found Keepkey’s focus on remote attacks “potentially out of line with the branding of [its] product.”
Perklin responded that KeepKey took measures to protect its users from potential physical attacks before Kraken notified it.
“We recommend our users use BIP39 passphrases that add an extra layer of security,” Perklin said. “The process is relatively easy and we provided step-by-step instructions on how to set up BIP39 in the June 13 statement.”
One of the reasons such physical attacks are difficult to prevent is KeepKey has to redesign its hardware. In particular, Kraken Security Lab claims, the wallet needs to change the microcontroller because of “inherent flaws” that could be used by hackers.
“It is important to understand that if you physically lose your KeepKey, this vulnerability could be used to access your crypto,” according to the blog post.
“It’s much like a door lock analogy. You can change the locks on your door as often as you want, but someone with enough time and expertise can always pick the lock,” Perklin responded.
“Redesigning KeepKey, or using a different microcontroller, might slow down an attacker if they have the physical device, but it will not stop them if they are determined, skilled and have enough time to break in,” he added.
Kraken Security Lab said it disclosed the full details of this threat of attack to KeepKey on Sept. 11 and is going public now so the crypto community can protect itself. Shapeshift confirmed it received the information and had asked its users to use the BIP39 passphrase before that time.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.