Dev Corner: Security Updates 1.8.0 and 2.1.0 With Andrew Kozlik, Cryptography Specialist at Trezor
According to Andrew, most of the vulnerabilities require that an attacker has access to the hardware wallet for a long time which leads to accessing of the wallet PIN which is stored in the wallet memory in clear text, a situation the company was not happy about and already taking steps to correct.
The first attack was when researchers monitored the electromagnetic emissions of the Trezor during PIN checking, and the power consumption, and using this information they were able to guess the correct PIN after several unsuccessful PIN attempts, said Andrew.
The second was when the attackers managed to disable the the read-protection on the STM32 chip which the company has it set at the highest level of two. They reduced the level to one, allowing them to read the RAM to which sensitive information was copied during the firmware upgrade, a mistake that has been corrected in the Trezor T.
The attacker in the third attacker created a USB request to read the USB descriptor from memory, and then he used electromagnetic fault injection to disable the size check on the USB request, Andrew said. This gave him access to read past the memory location of the USB descriptor and he read the sensitive data on the Trezor.
He added that the problem has been solved by placing an invalid memory segment just before the sensitive data prevents access to the sensitive data on the Trezor even if an attacker reads past any information they are allowed to see.
More on Andrew’s talk here
Support us and the authors of this article by donating to the following address:3PwNPMMv8v7vvrVysCCXwNBkYSfERE4iA6