Crypto hardware wallet provider OneKey says it has already addressed a vulnerability in its firmware that allowed one of its hardware wallets to be hacked in the background.
On February 10, a video on YouTube aware by cybersecurity startup Unciphered showed that they had discovered a way to exploit a “mass critical vulnerability” to “crack” a OneKey Mini.
According to Eric Michaud, a partner at Unciphered, by disassembling the device and inserting the encryption, it was possible to return the OneKey Mini to “factory mode” and bypass the security pin, allowing a potential attacker to remove the mnemonic phrase used. to retrieve a wallet.
“You have the CPU and the secure element. The secure element is where you keep your cryptographic keys. Now, normally, communications are encrypted between the CPU, where the processing takes place, and the secure element,” Michaud explained.
“Well, it turns out it wasn’t designed to do it in this case. So what you could do is put a tool in the middle that monitors communications and intercepts them and then injects its own commands,” he said, adding:
“We did that where it then tells the secure element that it’s in factory mode and we can remove your mnemonic, which is your money in crypto.”
However, in a February 10 statement, OneKey said it had already managed the security flaw identified by Unciphered, noting that its hardware team had updated the security patch “earlier this year” with “no one being affected” and that “all disclosed vulnerabilities have been or are being patched.”
Our response to recent security fix reports https://t.co/Dp9nNp1D0U
— OneKey Open Source Wallet (@OneKeyHQ) February 10, 2023
“That said, with passphrases and basic security practices, even the physical attacks revealed by Unciphered won’t affect OneKey users.”
The company further highlighted that while the vulnerability was concerning, the attack vector identified by Unciphered cannot be used remotely and requires “disassembly of the device and physical access via a dedicated FPGA device in the lab to be able to run it”.
According to OneKey, during correspondence with Unciphered, it was revealed that other wallets were found to have similar issues.
“We also pay bounties to Unciphered to thank them for their contributions to OneKey’s security,” OneKey said.
Related: ‘Haunts Me To This Day’: $4 Million Crypto Project Hacked In A Hotel Lobby
In its blog post, OneKey has said that it has already put a lot of effort into ensuring the security of its users, including protecting it from supply chain attacks, when a hacker replaces a genuine wallet with one controlled by them.
OneKey’s measures have included tamper-evident packaging for deliveries and the use of Apple supply chain service providers to ensure strict supply chain security management.
In the future, they hope to implement integrated authentication and upgrade newer hardware wallets with higher-level security components.
OneKey noted that the primary goal of hardware wallets has always been to protect users’ money from malware attacks, computer viruses, and other remote dangers, but acknowledged that unfortunately nothing can be 100% secure.
“When we look at the entire hardware wallet manufacturing process, from silicon crystals to chip code, from firmware to software, it’s safe to say that with enough money, time, and resources, any security barrier can be broken.” hardware, even if it is a nuclear weapon control system.”
