The attack takes around 15 minutes to complete. Both the Trezor One and the Trezor Model T wallets are known to be affected.
The vulnerability essentially exposes the encrypted seed phrase stored on the compromised device to the attacker. They can then brute force the PIN used to protect the encrypted secret and move funds associated with it.
As detailed in a blog post by Kraken Security Labs, the attack exploits known flaws in the device’s hardware. This makes the vulnerability difficult to adequately address without a full hardware redesign, according to the post.
The post details that the researchers relied on specialist knowledge and “several hundred dollars of equipment” to break into the devices. However, they note that the devices used could be mass-produced for around $75.
Trezor itself has also responded publicly to the attack. The company acknowledges the risk posed by what it terms the Read Protection Downgrade Attack.
According to Trezor’s post, attackers need access to the device, as well as a specialized device to send timed voltage glitches through it. Once cracked, the attacker can brute force the one to nine-digit PIN. The whole process can take as little as 15 minutes.
Trezor and Kraken reiterate the importance of using the optional passphrase feature to protect holdings further. Attackers cannot compromise those Trezor wallets protected by a strong passphrase using the method detailed here.
Kraken Security Labs reportedly disclosed the flaw to Trezor in October 2019. It has since worked with the hardware wallet company to disclose the vulnerability in the interests of cryptocurrency users.
Pavol Rusnak, CTO of Trezor manufacturer SatoshiLabs commented on the attack:
“We are happy that Kraken Security Labs are investing their resources in improving the security of the whole Bitcoin ecosystem. We cherish this kind of responsible disclosure and cooperation.”
In the post by Trezor itself, the hardware wallet company speculates that the vulnerability is related to one exposed by researchers at rival firm Ledger last year. BeInCrypto reported on the flaw at the time. However, Trezor says it is unable to confirm if the two attacks are definitely related since the Ledger researchers have not disclosed full details of their own efforts.