Friday, September 22, 2023

OneKey says it fixed a bug that had its hardware wallet hacked in one second


OneKey, the crypto hardware wallet provider, says it has already addressed a vulnerability in its firmware that allowed one of its hardware wallets to be hacked in one second.

in feb. 10, A YouTube video posted by cybersecurity startup Unciphered shows that they have discovered a way to exploit a “massive critical vulnerability” in order to “unlock” the OneKey Mini.

According to Eric Michaud, partner at Unciphered, by disassembling the device and entering the coding, it was possible to return the OneKey Mini to “factory mode” and bypass the security pin, allowing a potential attacker to remove the mnemonic phrase used to restore a wallet.

“You have the CPU and the secure element. The secure element is where you keep the encryption keys. Now, normally, communications between the CPU, where the processing takes place, and the secure element are encrypted,” Michaud explained.

“Well, it turns out it wasn’t designed to do that in this case. So what you can do is put a tool in the middle that monitors and intercepts connections and then injects its own commands,” he said, adding:

“We’ve done it where the secure component tells it’s in factory mode and we can take out your mnemonics, which is your money in crypto.”

However, in Feb. 10, OneKey said it had already addressed the security flaw identified by Unciphered, noting that its hardware team had updated the security patch “earlier this year” without “anyone affected,” and that “all the vulnerabilities identified Detecting it has been or is being repaired.”

However, with basic password phrases and security practices, even physical attacks detected by Unciphered will not affect OneKey users.

The company also highlighted that while the vulnerability was concerning, the attack vector identified by Unciphered cannot be used remotely and requires “device disassembly and physical access through a dedicated FPGA in the lab to be feasible to implement.”

According to OneKey, during correspondence with Unciphered, it was revealed that there are similar issues with other wallets.

“We also paid Unciphered rewards to thank them for their contributions to OneKey security,” said OneKey.

Related: “Haunts me to this day” – A $4 million Crypto project was hacked in a hotel lobby

OneKey said in its blog post that it has already gone to great lengths to ensure the security of its users, including protecting them from supply chain attacks — when a hacker replaces an original wallet with one it controls.

OneKey’s measures included tamper-proof packaging for deliveries and the use of Apple supply chain service providers to ensure strict management of supply chain security.

In the future, they hope to implement internal authentication and upgrade newer hardware wallets with higher-level security components.

OneKey noted that the main purpose of hardware wallets has always been to protect users’ funds from malware attacks, computer viruses, and other remote dangers, but acknowledged that unfortunately, nothing can be 100% secure.

“When we look at the entire manufacturing process of the hardware portfolio, from silicon crystals to chip code, from firmware to software, it is safe to say that with enough money, time and resources, any hardware barrier can be breached, even if it is a nuclear weapon control system. .”