Dan Reich, a New York-based entrepreneur and crypto enthusiast, breathed a sigh of relief after a hacker helped him recover more than $2 million that was trapped in a Trezor One hardware wallet.
In early 2018, Reich and his friend spent $50,000 worth of Bitcoin (BTC) to acquire Theta Network (THETA) tokens, equivalent to $0.21 at the time, as reported by the website. The Verge.
Initially, the funds were on a Chinese cryptocurrency exchange and then transferred to a Trezor One hardware wallet.
At the end of 2018, when the price of the token dropped almost four times, the two friends decided to withdraw their investment. However, they realized that they had forgotten the security personal identification number (PIN) that gave access to the wallet with the tokens.
After 12 failed attempts to guess the PIN, investors ended up giving up, as the wallet would completely erase after 16 unsuccessful attempts.
But after the price of THETA skyrocketed in 2021, hit a record high of $15, and the initial investment briefly exceeded $3 million, Reich and his friend decided to renew their attempts to gain access to the wallet.
Looking for help in different places, the duo contacted Joe Grand, a hardware hacker residing in Portland who was eventually able to recover the PIN.
Bypassing Trezor’s Security
As Grand explained in his video not YouTube, usually Trezor One wallets temporarily move the PIN and key to RAM during a firmware update.
When the update is complete, the information is returned to flash memory.
That was not the case with Reich’s wallet. Although Trezor moved the PIN and key that was copied to RAM during a boot, the PIN and key appeared in the device’s RAM in other steps.
This means that if Grand had inadvertently cleared the RAM before it could read the data, it would not have been possible to recover the PIN.
To solve the problem, Grand used a so-called fault-injection attack — a physical attack on the device that changes the amount of voltage going into the chip — that allowed him to bypass the security of the wallet’s microcontrollers, implemented to prevent hackers from reading the RAM.
After this step, Grand ran an automatic script to get the lost PIN.
“I was there, watching the computer screen, and I saw that I could circumvent security, private information, and the phrase ‘seed’ recovery, so the PIN I was looking for appeared on the screen afterward,” said Grand.
Trezor talks about the mocked wallet
Importantly, Satoshi Labs, the Prague-based Tezos wallet maker, had fixed the security issue found in Reich’s device some time ago and all new devices ship with a fixed bootloader.
“We just wanted to add that this is an old-fashioned hack and is not a concern for current users. We fixed it in 2017 right after a report we received through our responsible information disclosure program,” tweeted Trezor on Monday (24).
The main problem with the chip that enables an injection failure attack still persists in older devices and can be fixed by the chip manufacturer or by switching to a more secure chip.
However, as highlighted by Trezor, this type of attack requires completely physical access to the device and there is no record of compromised funds.
*Translated and edited by Daniela Pereira do Nascimento with permission from Decrypt.co.