Cyber firm cracks OneKey crypto wallets, raises broader hardware security questions
When it comes to privacy and security, many in the crypto world have long touted hardware wallets as a superior option for holding Bitcoin and other digital assets. For proponents, the advantages of such wallets – small USB-like devices that plug into laptops or mobile phones – lie in the fact that they are physical devices that can be stored offline, safe from hackers, except for the times an owner wants to make a transaction.
But not everyone is convinced they’re always a good idea, including a team of white-hat hackers at a cybersecurity startup called Unciphered. The team just published a video showing them breaking into a device manufactured by OneKey, a Hong-Kong-based firm that has raised $20 million in venture capital and describes the product as an “open source wallet trusted by millions on.”
Unciphered shared a preview of the video with Fortune, explaining that the exploit involved using a “man-in-the-middle” attack to trick the OneKey device into thinking it was still in the factory. By doing this, Unciphered was able to get the device to relay the wallet’s seed phrase—a random, inhospitable string of 12 or more words that acts as a password—to another part of the device’s computer system, capturing it along the way.
Taking possession of a seed phrase means that it is possible to access the digital assets in a wallet and steal them by sending them to another address. Or more simply, it’s like making a copy of someone’s safe deposit box key that can be accessed anytime, anywhere.
Here are images showing the exploit, which Unciphered says takes less than a second to perform once the OneKey device has been disassembled and the “man-in-the-middle” component attached:
Yishi Wang, the founder of OneKey, confirmed the existence of the exploit, telling Fortune the company has since issued an update to fix it.
“We appreciate the help from Unciphered and other white security hats. The firmware vulnerability you mentioned above, which required physical access [and] special equipment, is now fixed,” he said by email.
According to Unciphered, OneKey paid the company $10,000 in the form of a “bug bounty” – a term that describes a reward system, offered by many tech and crypto companies, to encourage white-collar hackers to report and share vulnerabilities responsibly.
How secure are hardware wallets, really?
While the existence of vulnerabilities is always cause for concern, the reality is that not all exploits pose a significant real risk. As the OneKey founder noted in his reply to Fortunethe vulnerability discovered by Unciphered required a hacker to have physical access to the device and a high level of technical expertise—a very different situation than a software exploit that could be sold or used by a low-level cybercriminal.
Nevertheless, the danger is still real. According to Eric Michaud, the founder of Unciphered, the type of person who has a hardware wallet usually owns a good amount of digital assets and is particularly likely to be targeted by sophisticated criminals. He notes that crypto conferences provide a particularly target-rich environment for thieves, including those who break into hotel rooms.
In an interview, Michaud also observed that hardware wallets can provide a false sense of security, leading owners to fail to securely store the device under the false assumption that hackers cannot crack it. And while hardware manufacturers provide software updates to harden a device’s security — as OneKey did in response to Unciphered’s discovery — there’s also the problem of older wallets whose manufacturer is no longer in business, or held by owners who fail to update them.
More broadly, Michaud says that Unciphered — which is staffed by longtime security researchers, some of whom have held national security clearances — is also concerned about a much wider variety of hardware wallets than OneKey.
According to Michaud, multiple hardware wallet manufacturers recycle the same codebase to create their products, meaning a vulnerability discovered in one wallet is often found in others. The result is that those who rely on hardware wallets to protect their crypto need to be vigilant.
This story was originally featured on Fortune.com
More from Fortune:
5 Side Hustles Where You Can Make Over $20,000 Per Year – All While Working From Home
The 5 most common mistakes lottery winners make
This is how much money you need to earn annually to comfortably buy a $400,000 home