A team of security researchers showed how fragile is the security of some hardware cryptocurrency wallets. The experts tested the Trezor One, Ledger Nano S, and Ledger Blue against supply-chain and side-channel attacks, and found chip and firmware-level vulnerabilities.
Dmitry Nedospasov, Thomas Roth, ad Josh Datko started their work in June and managed to find several methods to compromise the security of the targeted cryptocurrency wallets.
In a presentation at the Chaos Communication Congress on Thursday, they showed that an attacker can tamper with the devices or replace them with a counterfeit variant before they reach the end user.
Breaking the seal of trust
Vendors use security stickers as a “seal” for the wallet’s box or the casing of the device itself. A sticker that is intact supposedly guarantees that no one reached to the wallet or its electronic components.
However, Josh Datko demonstrated that the presence of such an anti-tampering assurance is not a difficult obstacle for an attacker with a hairdryer, as long as they are careful not to use high temperature.
Datko was able to remove the stickers from the Trezor One box and from the Trezor T’s USB port. He said that it came off with zero residue remaining but if some glue is still visible, it could be cleaned with fluids that are specific for electronic gadgets.
The Ledger devices come without anti-tampering seal because an integrity check is performed each time they power on. The vendor also says that a “Secure Element” chip “prevents any interception or physical replacement attempt.”
After bypassing the security sticker challenge, Datko moved to open the enclosures of the wallets, which was far from a tough job and got access to the hardware components within.
The researcher says that on the Trezor wallets it is possible to replace the microcontroller. “Once you’ve done that on the Trezor devices you can put your compromised bootloader in there.” He skipped this challenge but told the audience that he was able to connect with a hardware debugger to get free access to the chip, which could allow reflashing the component with malicious code.
Datko took the research further and compromised a Ledger wallet with a cheap hardware implant that allowed him to approve transactions with no user intervention.
Fitting a budget of $3.16, a switch triggered remotely (at least 11m with a 50W transmitter) via radio-frequency did the trick. Despite this tampering, the Ledger wallet passed the genuine test on Windows.
Ledger Nano S bootloader vulnerability
Software-wise, the researchers reverse-engineered the firmware upgrade process to find a bug that allowed them to write custom firmware on the device.
The vendor added some protection to the boot command, which compares the legitimacy of the firmware image using a cryptographic function. If the verification passes, the constant 0xF00BABE is written to a memory address.
The check is done only once, so it does not initiate every time the device boots. The goal here was to write the 0xF00BABE constant to the specific address.
It turns out that the Ledger includes protection against accidentally flashing over the bootloader by blacklisting an entire memory region. The researchers used this to their advantage and wrote the constant to an address that was not excluded and mapped it to the accepted address.
To demonstrate the success, the researchers flashed the chip with a version of the game Snake, using the device’s two buttons to control the movement on the tiny display.
Side-channel attack on the Ledger Blue
After taking a look inside the Ledger Blue, Thomas Roth discovered that it was fitted with a long conductor that takes the signal to the screen. It acts as an antenna and its signal is amplified when the device is connected to a USB cable.
Using software-defined radio equipment, they were able to capture the radio waves and analyze their patterns to decode what was sent to the screen.
Roth created a framework to automate the recording of the training signals from entering PIN digits on the screen and use an artificial intelligence model to translate them into human-ready information. The accuracy of the results was quite high over 90%, with only one wrong prediction.
Chip-level vulnerability in Trezor One wallet
The operations on Trezor One are controlled by a microcontroller (STM32F205), which in 2017 was found to be vulnerable to fault injection.
Last year, Datko could not determine if the Trezor could be exploited via fault injection, but a different conclusion was presented at the CCC conference.
By observing the boot process and the upgrade procedure, the trio discovered a way to extract from the Random Access Memory (RAM) the seed key, or private key, that gives access to the cryptocurrency funds and allows transferring them to other wallets.
The Trezor One backs up the data, including the private key, and copies it to RAM. The researchers’ solution was to initiate a firmware upgrade procedure and stop it before the RAM gets cleared. Examining the RAM content dump reveals the seed words and the PIN number.