Kraken: $75 Device Will Get You Into Crypto Hardware Wallet KeepKey

Kraken Security Labs said crypto hardware wallet KeepKey is not doing enough to protect customers from physical attacks, saying it was able to get into the system using a $75 device.

Dec 11, 2019 at 7:48 p.m. UTC
Updated Sep 13, 2021 at 11:48 a.m. UTC

Kraken Security Lab said crypto hardware wallet KeepKey is not doing enough to protect customers from physical attacks, saying it was able to get into the system using a $75 device. 

“All that is required is physical access to the wallet for about 15 minutes,” the firm said in a blog post on Tuesday. 

Kraken Security Lab said KeepKey is already aware of similar physical attacks, but seems to be focusing more on protecting users’ keys from remote attacks, citing a statement from KeepKey’s parent Shapeshift on June 13. 

The attacks can extract seeds that could help users restore and backup their wallets from a voltage glitching device costing roughly $75. 

However, Michael Perklin, chief information security officer of Shapeshift, said Kraken Security’s statement is misleading, according to a statement received by CoinDesk. The crypto exchange acquired hardware wallet startup KeepKey for an undisclosed amount in August 2017 to develop its technology and security for its crypto holders. 

“Not only does this attack require physical possession of the device, it would require significant preparation and expertise, as well as specialized equipment,” Perklin said. 

“The cost is possible only if the person had an extremely sophisticated understanding of what was needed,” he added. “The average person would not have the education about hardware design or computer science to go pick out parts for $75 and successfully assemble a tool to use for this type of attack.” 

Kraken Security Lab said in its blog post that while physical attacks are difficult to defend against, it found Keepkey’s focus on remote attacks “potentially out of line with the branding of [its] product.”  

Perklin responded that KeepKey took measures to protect its users from potential physical attacks before Kraken notified it. 

“We recommend our users use BIP39 passphrases that add an extra layer of security,” Perklin said. “The process is relatively easy and we provided step-by-step instructions on how to set up BIP39 in the June 13 statement.” 

One of the reasons such physical attacks are difficult to prevent is KeepKey has to redesign its hardware. In particular, Kraken Security Lab claims, the wallet needs to change the microcontroller because of “inherent flaws” that could be used by hackers. 

“It is important to understand that if you physically lose your KeepKey, this vulnerability could be used to access your crypto,” according to the blog post. 

“It’s much like a door lock analogy. You can change the locks on your door as often as you want, but someone with enough time and expertise can always pick the lock,” Perklin responded. 

“Redesigning KeepKey, or using a different microcontroller, might slow down an attacker if they have the physical device, but it will not stop them if they are determined, skilled and have enough time to break in,” he added. 

Kraken Security Lab said it disclosed the full details of this threat of attack to KeepKey on Sept. 11 and is going public now so the crypto community can protect itself. Shapeshift confirmed it received the information and had asked its users to use the BIP39 passphrase before that time.

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
GameStop Unveils Crypto & NFT Wallet, Beeple's Twitter Account Latest to Phishing Scam Hacks and More

The most valuable crypto stories for Thursday, May 23, 2022.

The most valuable crypto stories for Thursday, May 23, 2022.

CoinDesk - Unknown
2
CoinDesk - Unknown
First Mover Asia: Funds Lost Billions in the Terra Collapse. Here are the Ongoing Effects; Bitcoin Sees Red

When a fund suffers a major dent to its token, the impact reverberates widely throughout the venture funding eco-system; most major cryptos fell despite gains in U.S. equity markets.

When a fund suffers a major dent to its token, the impact reverberates widely throughout the venture funding eco-system; most major cryptos fell despite gains in U.S. equity markets.

CoinDesk - Unknown
3
CoinDesk - Unknown
At Davos, Crypto Is No Longer on the Outside

Cryptocurrencies have taken a prominent role at the World Economic Forum's annual meeting in Davos, despite the mainstream finance world's apparent contempt for the sector.

Cryptocurrencies have taken a prominent role at the World Economic Forum's annual meeting in Davos, despite the mainstream finance world's apparent contempt for the sector.

CoinDesk - Unknown
4
CoinDesk - Unknown
Wall Street Says a Fed Digital Dollar Spells Destruction for Banks

The Federal Reserve is considering whether to launch a CBDC like other nations, and bankers argue that’s a dangerous idea.

The Federal Reserve is considering whether to launch a CBDC like other nations, and bankers argue that’s a dangerous idea.

CoinDesk - Unknown