Crypto hardware wallet provider OneKey says it has already patched a vulnerability in its firmware that allowed one of its hardware wallets to be hacked in one second.
February 10 video on YouTube published cybersecurity startup Unciphered has revealed they have found a way to exploit a “massive critical vulnerability” to “hack” the OneKey Mini.
By disassembling the device and pasting the encoding, one could return the OneKey Mini to “factory mode” and bypass the security pin, allowing a would-be attacker to remove the mnemonic phrase used to restore the wallet, according to Unciphered partner Eric Michaud.
“You have a CPU and a security element. The secure element is where you store your cryptographic keys. Now, as a rule, the communication between the CPU where the processing is performed and the security element is encrypted,” Michaud explained.
“Well, it turns out in this case it wasn’t designed for that. So you could put a tool in the middle that snoops on messages and intercepts them and then issues your own commands,” he said, adding:
“We did this when it then tells the secure element that it is in factory mode and we can remove your mnemonic, which is your cryptocurrency money.”
However, OneKey’s February 10 statement says it has already addressed a security flaw uncovered by Unciphered, noting that its hardware team had updated a security patch “earlier this year” “without affecting anyone”, and that “all reported vulnerabilities were or are being fixed”.
Our response to recent security patch reports https://t.co/Dp9nNp1D0U
— OneKey Open Source Wallet (@OneKeyHQ) February 10, 2023
“However, with passphrases and basic security practices, even the physical attacks uncovered by Unciphered won’t affect OneKey users.”
The company also stressed that while the vulnerability is a concern, the attack vector identified by Unciphered cannot be exploited remotely and requires “device disassembly and physical access through a dedicated FPGA device in a lab in order to be executed.”
According to OneKey, during the correspondence with Unciphered, it turned out that other wallets were found to have similar problems.
“We also paid rewards to Unciphered to thank them for their contributions to OneKey security,” OneKey said.
‘Haunts me to this day’ – $4 million crypto project hacked in hotel lobby
In a blog post, OneKey said it has already put a lot of effort into keeping its users safe, including protecting them from supply chain attacks — where a hacker replaces a real wallet with one they control.
OneKey’s measures include tamper-proofing of supply packaging and the use of Apple’s supply chain service providers to ensure strict supply chain security management.
In the future, they hope to implement built-in authentication and upgrade new hardware wallets with higher level security components.
OneKey noted that the main purpose of hardware wallets has always been to protect users’ money from malware, computer viruses and other remote threats, but acknowledged that, unfortunately, nothing can be 100% secure.
“When we look at the entire production process of a hardware wallet, from silicon crystals to chip code, from firmware to software, it is safe to say that with enough money, time and resources, any hardware barrier can be overcome, even if it is nuclear. weapon. control system.”
Credit : cointelegraph.com
