Security Researchers Reveal Wallet Vulnerabilities On Stage at 35C3 | 코인긱스

Security Researchers Reveal Wallet Vulnerabilities On Stage at 35C3

0

Security Researchers Reveal Wallet Vulnerabilities on Stage at 35C3

In a demonstration titled “Wallet.fail,” a team of security researchers hacked into the Trezor One, Ledger Blue and Ledger Nano S. Unfortunately, it appears as if their findings were first put on display at the 35th Chaos Communication Congress (35C3) in Leipzig, Germany, rather than through accepted Responsible Disclosure practices, which would have allowed the manufacturers to patch the vulnerabilities and protect their customers from any potential attack. Fortunately, the vulnerabilities appear to be very difficult for attackers to actually exploit.

The team of experts included security researchers Dmitry Nedospasov, Josh Datko and systems engineer Thomas Roth. Among the vulnerabilities revealed in the presentation were several that could have been fixed with a firmware upgrade on the hardware wallets in question.

SatoshiLabs, the manufacturers of Trezor wallets, through its Chief Technology Officer Pavol Rusnak, insisted that the company had not been notified about the vulnerabilities demonstrated at the event, going on to add that there’s a “Responsible Disclosure program” that the researchers could have followed to give them a heads-up about the loopholes.

“With regards to #35c3 findings about @Trezor: we were not informed via our Responsible Disclosure program beforehand, so we learned about them from the stage. We need to take some time to fix these, and we’ll be addressing them via a firmware update at the end of January.”

Ledger took the same exception, claiming in a blog post to have been sidelined by the researchers, who could have notified them through a disclosure, which they claim would have given the firm the time needed “for the vulnerability to be patched as well as to mitigate risks for users.”

The Vulnerabilities

As for the vulnerabilities themselves, it appears that they cannot (yet) be exploited remotely; most of them require that the intruder have physical access to the devices in question — and sometimes access to the owner’s computer as well.

At the presentation, the security experts claimed to have flashed a Trezor One hardware wallet, which allowed them to extract the mnemonic seed (and PIN) from the RAM, going on to add that the vulnerability can only be exploited against users who don’t set a passphrase.

The team also claimed to have installed their firmware on the Ledger Nano S, allowing them to manipulate the wallet by signing transactions remotely. To do this, the intruder would have to physically access the Nano S and hack into the victim’s PC, where malware is installed to steal the PIN once the victim loads Ledger’s Bitcoin app.

Ledger claims that since this scenario requires an intruder to have physical access to the device, access to the victim’s computer and the patience to wait for the victim to put in his PIN and launch the Bitcoin app on the PC, this type of attack is unlikely to pose much of a practical threat.

The security researchers also demonstrated a proof-of-concept, side-channel attack on Ledger’s most expensive hardware wallet, the Ledger Blue. According to the team, Ledger Blue leaks signals sent to its touchscreen as radio waves, making them vulnerable. This is due to the animation of the PIN keyboard. The researchers claim the signal could get stronger when a USB cable is attached to the device, allowing them to sniff the PIN of the Ledger Blue remotely.

This article originally appeared on Bitcoin Magazine.

source : informer.com

https://bitcoinmagazine.com/articles/security-researchers-reveal-wallet-vulnerabilities-stage-35c3/#1546272928

 

‘에이코인(ACOIN)” 은 전 세계 오프라인 금거래 시장에서 금의 안전한 거래를 위해 사용하는 프로토콜 암호화폐이며, 코인월드 에이코인(ACO) 전용마켓 오픈 예정
한미중일 4개국 합자투자로 탄생한 코인월드, ‘에이코인'(ACOIN) 국내 최초 상장 협의중으로 4/16 사전 예약 실시
Coin world, ACOIN listing Discussion
Cryptocurrency exchange coin world, advance booking on next 16th

No comments