List of Hardware Wallet Hacks

This is a dynamic document and changes as my understanding of these vulnerabilities changes and as new vulnerabilities get discovered

What constitutes a hardware wallet hack?
I count anything as a “hack” that allows a hacker to change a hardware wallet’s intended behavior. This means it is not relevant to me if the hack was ever exploited, or if it has received a low likelihood rating from vendors.

Know of a hack that is not included?
Let me know here: https://github.com/TheCharlatan/thecharlatan.github.io

2014

Juli:

Vendor: Trezor
Title: Malicious ScriptSig in transaction
Detail: A specially crafted transaction could extract the private key
Type: Transaction validation attack with authentication
Bug: Buffer Overflow
Reporter: Nicolas Bacca (Ledger)
Patch: https://github.com/trezor/trezor-firmware/commit/524f2a957afb66e6a869384aceaca1cb7f9cba60

2015

February:

Vendor: Trezor
Title: SpendMultisig malicious change in transaction
Detail: A specially crafted transaction could contain a change output of an attacker, which wasn’t confirmed by the user
Type: Transaction validation attack with authentication
Bug: Insufficient transaction checks
Reporter: Nicolas Bacca (Ledger)
Patch: https://github.com/trezor/trezor-firmware/commit/137a60ce017c402ac160258bcc4b5f7b5aba0560

March:

Vendor: Trezor
Title: Possible key extraction with oscilloscope
Detail: With physical access to the device and an oscilloscope, the private key could have been extracted from the device
Type: Signal noise / power analysis side channel
Bug: Insufficient PIN protection for derivation of keys, minimize the usage of nested loops to increase const’ness of execution time
Reporter: Jochen Hoenicke
Patch: https://github.com/trezor/trezor-firmware/commit/7c6d2fe395c8475efbc93257892f0efac3d1511c
Explanation from reporter: https://jochen-hoenicke.de/crypto/trezor-power-analysis/

2017

August:

Vendor: Trezor
Title: SRAM memory access
Detail: The SRAM was not cleared on soft reset, allowing extraction using special firmware and direct access to the device board
Type: Platform reset attack
Bug: (see detail)
Reporter: Sunny
Patch: https://github.com/trezor/trezor-firmware/commit/98e617d8740b85ae01d7d6e0dd3f49e66057a210
Explanation from vendor: https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522
Explanation from reporter: https://saleemrashid.com/2017/08/17/extracting-trezor-secrets-sram/

2018

February:

Vendor: Trezor
Title: STM32F205 chip issue
Detail: The bootloader memory write-protection is not working as intended in the STM32F205, which is used in the Trezor One. The issue was solved by activating the Memory Protection Unit, keeping the bootloader safe from unauthorized write-access.
Type: Supply chain attack
Bug: Bad chip configuration
Reporter: Saleem Rashid
Patch: https://github.com/trezor/trezor-firmware/commit/9588e8f2736b60916f51e470deb18f55112a6ebc
Explanation from vendor: https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Bad BIP32 implementation
Detail: Accessing the ‘xpub’ API command for the master key path of both the hidden and the standard wallet allowed for the reconstructing of the private keys of the standard and hidden wallet.
Type: API remote attack
Bug: Bad cryptography for the wallet vs hidden wallet derivation
Reporter: Saleem Rashid
Explanation from vendor: https://shiftcrypto.ch/bitbox01/disclosure
Explanation from reporter: https://saleemrashid.com/2018/11/26/breaking-into-bitbox

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Firmware Downgrade
Detail: The firmware of the BitBox01 could be downgraded to older official versions. Since the firmware version check happens in the bootloader this patch could only be introduced to new devices. Devices already delivered and in use would remain susceptible to the attack.
Bug: Version Downgrade
:patch: Patch: https://github.com/digitalbitbox/mcu/commit/350c7a8eadc080436d0e7fa9ecebbb0e5246e5a4

March:

Vendor: Ledger
Title: Padding oracle attack on SCP
Detail: A padding oracle attack was found on the Secure Channel established between the device and Ledger’s HSM. It allows an attacker to decrypt the firmware updates.
Bug: Bad padding of messages between MCU and SC
Reporter: Timothee Isnard
Explanation from vendor: https://www.ledger.com/firmware-1-4-deep-dive-security-fixes/

Vendor: Ledger
Title: MCU signature verification bypass
Detail: The signature verification of the MCU can be bypassed, allowing an attacker to perform supply chain attacks. It requires physical access to the device before the generation of the seed.
Type:
Supply chain attack
Bug: Overall authentication architecture in MCU, fixed with a bunch of small patches
Reporter: Saleem Rashid
Explanation from vendor: https://www.ledger.com/firmware-1-4-deep-dive-security-fixes/
Explanation from reporter: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

Vendor: Ledger
Title: Isolation vulnerability
Detail: A malicious app can break the isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo.
Bug: Null pointer dereferencing, pointer length not properly checked, Flash zone not wiped properly after device reset.
Type: Privilege escalation
Reporter: Sergei Volokitin
Explanation from vendor: https://donjon.ledger.com/lsb/003/
Explanation from reporter: https://i.blackhat.com/us-18/Wed-August-8/us-18-Volokitin-Software-Attacks-On-Hardware-Wallets.pdf

May

Vendor: Trezor
Title: Race condition in recovery
Detail: Specially crafted USB communication packets could trigger a stack overflow in recovery which could lead to code execution.
Type: Stack overflow
Bug: USB buffer overflow, during dry-run recovery which recursively handles packets, a stack overflow can be triggered
Reporter: Christian Reitter
Patch: https://github.com/trezor/trezor-firmware/commit/c9113fd3f5fcd78e9e560dbac75ed5aae359eb2d
Explanation from vendor: https://blog.trezor.io/details-about-the-security-updates-in-trezor-one-firmware-1-6-2-a3b25b668e98
Explanation from reporter: https://blog.inhq.net/posts/trezor-one-dry-run-recovery-stack-overflow/

Vendor: Trezor
Title: Message processing error
Detail: Specially crafted USB packet could trigger a buffer overflow which could lead to code execution on older firmware.
Type: Buffer overflow
Bug: USB buffer overflow if the USB message buffer is flooded with specially crafted incoming messages
Reporter: Christian Reitter
Patch: https://github.com/trezor/trezor-firmware/commit/c9113fd3f5fcd78e9e560dbac75ed5aae359eb2d
Explanation from vendor: https://github.com/trezor/trezor-firmware/commit/c9113fd3f5fcd78e9e560dbac75ed5aae359eb2d

July

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Simulating the secure chip
Detail: After physically breaking apart the BitBox casing, attaching invasive probes, and manipulating the data sent to the BitBox’s micro controller, a BitBox could be reset but without erasing the wallet secrets. A patch was provided on 31 July 2018.
Type: Information leak
Bug: Secrets not cleared after wallet reset
Reporter: Saleem Rashid
Explanation from vendor: https://shiftcrypto.ch/bitbox01/disclosure/
Explanation from reporter: https://saleemrashid.com/2018/11/26/breaking-into-bitbox

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Man-in-the-middle (MITM) between the mobile verification app and the BitBox.
Detail: When initially pairing a BitBox to the mobile verification app, a man-in-the-middle (MITM) on a compromised computer could insert themselves and then later change the information to be displayed on the mobile app. We provided a patch on 31 July 2018 in firmware v4.0.0. The vulnerability existed only during the initial pairing and if your computer was compromised by an attacker aware of the issue.
Type: Information leak
Bug: Bad Crypto
Reporter: Saleem Rashid
Explanation from vendor: https://shiftcrypto.ch/bitbox01/disclosure/
Explanation from reporter: https://saleemrashid.com/2018/11/26/breaking-into-bitbox

August

Vendor: Trezor
Title: MPU circumvention via SYSCFG registers
Detail: Security fix deployed via the 1.6.1 firmware update could be circumvented via clever use of the SYSCFG registers. This was fixed by completely disabling the SYSCFG registers via the MPU.
Type: Supply chain attack
Bug: MPU rule could be circumnavigated
Reporter: Sunny
Patch: https://github.com/trezor/trezor-firmware/commit/fdd5cbe20271634dc9ba4424ae40f1d11332cdf2
Explanation from vendor: https://blog.trezor.io/trezor-one-firmware-update-1-6-3-73894c0506d

September

Vendor: Trezor
Title: Buffer overflow in bech32_decode
Detail: The C reference implementation for bech32 has an unsigned integer overflow that can lead to a buffer overflow. The bug was fixed by preventing out-of-bounds accesses in the code.
Type: Buffer overflow
Bug: No sufficient out of bounds check
Reporter: Christian Reitter
Patch: https://github.com/trezor/trezor-firmware/commit/5c6b47288323a6cafe331304d2708a3c2a45f4b0
Explanation from vendor: https://blog.trezor.io/details-about-the-security-updates-in-trezor-one-firmware-1-7-1-5c34278425d8

October

Vendor: Trezor
Title: Buffer overflow in cash_decode
Detail: The cash_decode function in the trezor-crypto library allowed an out-of-bounds write. The bug was fixed by preventing the out-of-bounds accesses in the code.
Type: Buffer/stack overflow
Bug: No sufficient out of bounds check
Reporter: Gabrial Campana
Patch: https://github.com/trezor/trezor-firmware/commit/2bbbc3e15573294c6dd0273d2a8542ba42507eb0
Explanation from vendor: https://blog.trezor.io/details-about-the-security-updates-in-trezor-one-firmware-1-7-1-5c34278425d8

Vendor: Trezor
Title: Side-channel analysis (SCA) of PIN comparison
Detail: Using a SCA bench an attacker could create the database of power consumption and electromagnetic traces of a device. This database could later be used to unlock a locked device using the same SCA bench. The issue was fixed by rewriting the device storage to not compare PINs directly, but rather compare random data stretched by the PIN.
Type: Information leak
Bug: Naive implementation of PIN storage
Reporter: Charles Guillemet
Patch: https://github.com/trezor/trezor-firmware/commit/4f32cb508383ec0e65843d037f6ac6473a668359

November

Vendor: Trezor
Title: Information leak via U2F
Detail: The C/C++ reference implementation for U2F by Yubico contains broken definition of a struct which can leak bytes from RAM via USB. The bug was fixed by updating the structure definition to a new correct one.
Type: Information leak
Bug: Bad struct memory layout
Reporter: Christian Reitter
Patch: https://github.com/trezor/trezor-firmware/commit/0b26c529ec49daf584f322f3ef959c79694c8cf5
Explanation from vendor: https://blog.trezor.io/details-about-the-security-updates-in-trezor-one-firmware-1-7-2-3c97adbf121e
Explanation from reporter: https://blog.inhq.net/posts/u2fhid_init_resp-information-leak/

Vendor: Ledger
Title: Bitcoin change address injection
Detail: A vulnerability was found in the Bitcoin app allowing an attacker to add an unverified output change address into a legit transaction. It can lead to sending funds to an arbitrary address without requiring an additional confirmation on the device. The original transaction still has to be confirmed though.
Bug: Bad Bitcoin transaction information validation
Reporter: Sergey Lappo
Explanation from vendor: https://donjon.ledger.com/lsb/004/
Explanation from reporter: https://sergeylappo.github.io/ledger-hack/

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Poking around the secure chip
Detail: Bad configuration of the secure chip leaves it redundant in the BitBox01 hardware design. This is not patchable.
Type: Break of existing security model, lead to re-assesment of public security claims
Bug: Bad secure chip configuration.
Reporter: Saleem Rashid
Explanation from reporter: https://saleemrashid.com/2018/11/26/breaking-into-bitbox/

December

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Man-in-the-middle (MITM) between the mobile verification app and the BitBox
Detail: Encrypted USB communication, when not authenticated, can be modified by a man-in-the-middle (MITM) attacker in undesirable ways. A patch was provided on 4 December 2018 in firmware v5.0.0.
Type: Break on-hardware verification
Bug: Usage of a plain AES-256-CBC cipher for authentication. Never use encryption for authentication.
Reporter: Saleem Rashid
Explanation from vendor: https://shiftcrypto.ch/bitbox01/disclosure/

Vendor: Trezor
Title: SRAM Dump during the firmware update
Detail: Using a special glitching hardware an attacker could trick the device processor into Read Protection level 1 which allows readout of RAM. The issue was fixed by not storing sensitive data in RAM during the firmware update.
Type: Information leak
Bug: Sensitive values in RAM during firmware update
Reporter: wallet.fail
Patch: https://github.com/trezor/trezor-firmware/commit/07231d936e41335b3ec44c4c6eb336be006890d0
Explanation from vendor: https://blog.trezor.io/details-of-security-updates-for-trezor-one-firmware-1-8-0-and-trezor-model-t-firmware-2-1-0-408e59dc012
Explanation from reporter: https://media.ccc.de/v/35c3-9563-wallet_fail

Vendor: Ledger
Title: MCU Bootloader verification bypass.
Detail: The signature verification of the Ledger Nano S MCU can be bypassed, allowing an attacker to install an arbitrary firmware on the MCU.
Bug: f00dbabe
Reporter: wallet.fail
Explanation from vendor: https://donjon.ledger.com/lsb/005/
Explanation from reporter: https://media.ccc.de/v/35c3-9563-wallet_fail

2019

January

Vendor: Trezor
Title: Secret information leak via USB Descriptors
Detail: The attack used specialized hardware to inject a fault into the comparison function in the USB stack. When timed properly, an attacker could trick USB stack into returning sensitive data via USB in the USB descriptor.
Type: Information leak
Bug: Outgoing packets too big, MPU did not protect sectors around the actual storage sectors, which would have halted execution
Reporter: Colin O’Flynn
Patch: https://github.com/trezor/trezor-firmware/commit/22f37e81a3270da5e8e5d6c55abc8f15f3a35567
Explanation from vendor: https://blog.trezor.io/details-of-security-updates-for-trezor-one-firmware-1-8-0-and-trezor-model-t-firmware-2-1-0-408e59dc012

Vendor: Coldcard
Title: Attack on Coldcard short PINs
Detail:
The attack is achieved by connecting a man-in-the-middle (MITM) to the bus the CCW uses to communicate with its secure element (SE). Then commands on the bus are modified to cause the MCU to not count failed PIN entry attempts.
This gives the attacker an unlimited number of attempts to guess the PIN.
Type: Bypass of authentication
Bug: Bad secure chip answer verification
Reporter: Lazy Ninja
Explanation from vendor: https://blog.coinkite.com/use-long-pins/
Explanation from reporter: https://www.cryptolazyninja.com/2019/03/coldcard-wallet-short-pin-brute-force.html

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Information leak via U2F
Detail: The C/C++ reference implementation for U2F by Yubico contains a broken definition of a struct which can leak bytes from RAM via USB. The bug was fixed by updating the struct definition to a new correct one.
Bug: Bad struct memory layout
Reporter: Christian Reitter
Explanation from vendor: https://medium.com/shiftcrypto/important-security-news-about-version-4-4-0-upgrade-2449b745be9
Explanation from reporter: https://blog.inhq.net/posts/u2fhid_init_resp-information-leak/

March

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: BIP32 address derivation ransom attack
Detail: No restrictions on possible BIP32 key paths led to a ransom attack
Bug: Bad interpretation of BIP32 and BIP44 standard
Explanation from vendor: https://medium.com/shiftcrypto/bitbox-desktop-app-4-6-0-with-firmware-6-0-3-release-ec46937afe7c https://medium.com/shiftcrypto/bitbox-desktop-app-4-5-0-with-firmware-6-0-2-release-fd77f8186a29

Vendor: Satoshi Labs
Product: Trezor 1
Title: Breaking Trezor One with Sice Channel Attacks
Detail: A Side Channel Attack on PIN verification allows an attacker with a stolen Trezor One to retrieve the correct value of the PIN within a few minutes.
Type: Information leak
Bug: PIN validity was checked in constant time, but in sequence. The validity check thus exposed a unique side-channel signature during verification.
Reporter: Ledger Donjon
Explanation from vendor: https://blog.trezor.io/our-response-to-ledgers-mitbitcoinexpo-findings-194f1b0a97d4
Explanation from reporter: https://donjon.ledger.com/Breaking-Trezor-One-with-SCA/

April

Vendor: Trezor
Title: Information leak via OLED display
Detail: The attack uses power analysis to read the information shown on the OLED display.
Type: Information leak
Bug: OLED screens consume power based on number of pixels that are on. Mitigated here by making the number of pixels that are on per row when displaying the seed constant
Reporter: Christian Reitter
Patch: https://github.com/trezor/trezor-firmware/commit/f16c941ed4ac3c2e2c401de931249d0b2f34c29b
Explanation from vendor: https://blog.trezor.io/details-of-the-oled-vulnerability-and-its-mitigation-d331c4e2001a
Explanation from reporter: https://blog.inhq.net/posts/oled-side-channel-status-summary/

Vendor: Ledger
Title: OLED screen side-channel vulnerability.
Detail: A side-channel leakage on the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side-channel is relevant only if the attacker has enough control over the device’s USB connection to make power-consumption measurements and advanced statistical analysis while the secret data is displayed. The side-channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data.
Type: Information leak
Bug: OLED screens consume power based on number of pixels that are on. Mitigated here by making the number of pixels that are on per row when displaying the seed constant
Reporter: Christian Reitter
Explanation from vendor: https://donjon.ledger.com/lsb/006/
Explanation from reporter: https://blog.inhq.net/posts/oled-side-channel-status-summary/

Vendor: Coldcard
Title: Possible Display Information Leak
Detail: The attack uses power analysis to read the information shown on the OLED display.
Type: Information leak
Bug: OLED screens consume power based on number of pixels that are on. Mitigated here by making the number of pixels that are on per row when displaying the seed constant
Reporter: Christian Reitter
Explanation from vendor: https://blog.coinkite.com/noise-troll/
Explanation from reporter: https://blog.inhq.net/posts/oled-side-channel-status-summary/

May

Vendor: BC Vault
Product: BC Vault One
Title: BC Vault One button side channel
Detail: The attack uses H-field probing and a USB resistor shunt to detect button presses, like those made during initial PIN entry. While the report was received by the vendor, no mitigation was attempted and communication was aborted with the reporter.
Bug: H-field Side Channel
Reporter: Christian Reitter
Explanation from reporter: https://blog.inhq.net/posts/bc-vault-one-button-side-channel/

June

Vendor: Coinkite
Product: Coldcard MK1 and MK2
Title: Laser Fault Injection
Detail: Using a vulnerability in the ATECC508A secure memory microcontroller that the Coldcard MK1/2 uses to store its secrets, an attacker can gain the PIN code of a Coldcard. The attack uses Laser fault injection to bypass access condition verification. The attack was not reproducible on an ATECC608A (which Coldcard currently uses) and requires decapping the memory chip.
Bug: Inherent Weakness in ATECC508A
Reporter: Ledger Donjon
Explanation from vendor: https://blog.coinkite.com/laser-fault-injection/
Explanation from reporter: https://donjon.ledger.com/coldcard-pin-code/

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Blinking pattern mismatch
Detail: The blinking patterns of the BitBox01 reveal important information on the behvaiour of the device
Bug: Bad differentiation between modes for the user
Reporter: Saleem Rashid
Explanation from vendor: https://medium.com/shiftcrypto/bitbox-desktop-app-4-9-0-with-bitbox01-firmware-6-1-1-release-1b84c5f9295f

Juli

Vendor: Shapeshift, Satoshi Labs
Product: Keepkey, Trezor One, Trezor T
Title: Unfixable Seed Extraction on Trezor - A practical and reliable attack
Detail: An attacker with a stolen device can extract the seed from the device. It takes less than 5 minutes and the necessary materials cost around 100$. This vulnerability affects Trezor One, Trezor T, Keepkey and all other Trezor clones. Unfortunately, this vulnerability cannot be patched and, for this reason, we decided not to give technical details about the attack to mitigate a possible exploitation in the field. However SatoshiLabs and Keepkey suggested users to either exclude physical attacks from their threat model, or to use a passphrase.
Type: Hardware Exploit
Bug: Not clear, but seems to be a fundamental bug in the STM32F205 chip. The bug cannot be fixed and the vendors seemed to have changed their threatmodel now to not include localized hardware attacks. Hardware security is only guaranteed with the employment of an additional seed phrase.
Reporter: Ledger Donjon
Explanation from vendor: No official explanation from Trezor; explanation from Keepkey: https://medium.com/shapeshift-stories/responding-to-ledgers-2019-breakingbitcoin-findings-4213849a4fb
Explanation from reporter: https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/

August

Vendor: Shapeshift
Product: Keepkey
Title: OLED screen side-channel vulnerability.
Detail: Same as with Trezor, Ledger, Coldcard and BitBox02
Type: Information leak
Bug: OLED screens consume power based on number of pixels that are on. Keepkey alleges that since they show multiple seed words at once, the vulnerability does not apply to them.
Reporter: Christian Reitter
Explanation from vendor: https://medium.com/shapeshift-stories/shapeshift-security-update-5b0dd45c93db
Explanation from reporter: https://blog.inhq.net/posts/oled-side-channel-status-summary/

October

Vendor: Trezor
Title: Malicious change in a mixed transaction
Detail: An attacker could create a specially crafted multisig transaction which would hide the multisig change address.
Type: Missing Check
Bug: Input and output Bitcoin transaction fingerprints were not sufficiently checked.
Reporter: Marko Bencun
Patch: https://github.com/trezor/trezor-firmware/commit/8eb6ce08995514c67d175b7197feeadeccc48ff0
Explanation from vendor: https://blog.trezor.io/details-of-the-multisig-change-address-issue-and-its-mitigation-6370ad73ed2a
Explanation from reporter: https://medium.com/shiftcrypto/a-remote-theft-attack-on-trezor-model-t-44127cd7fb5a

Vendor: Ledger
Title: Monero private key retrieval.
Detail: The Monero App for Ledger Nano was found to be vulnerable to a private key retrieval through the use of a malicious Monero Client (desktop application). Some computational elements are encrypted by the Nano S with a key only known to the Monero application, and sent to the desktop client for later use, due to space limitations on the Nano. During the final step of the signature (MLSAG sign), the client sends back some sensitive encrypted elements which the app uses to compute a Schnorr signature. A malicious client can misuse this by replaying earlier elements of this computation, and induce a variant of a nonce-reuse attack (see for example the PS3 Fail). This replay of commands is possible because the key derived by the app to encrypt elements is static, and there is no message authentication.
Bug: Bad MLSAG signature implementation
Patch: https://github.com/LedgerHQ/ledger-app-monero/commit/5d0658ad6369f3d0ff2d10ee9effa410eb185b98
Explanation from vendor: https://donjon.ledger.com/lsb/007/

Vendor: Coldcard
Title: Troublesome Change Outputs
Detail: It is possible to make a valid PSBT file that sends the change left from a transaction to a unknown location. If an attacker had your XPUB, and could change your PSBT file before you sign, they could modify the file so that the “change” (ie. the balance of Bitcoins you are sending back to yourself) goes to an effectively unknown address. If the attacker is profit motivated, they can ransom the knowledge of those change UTXO back to you.
Bug: BIP32 address derivation ransom attack
Reporter: TheCharlatan
Explanation from vendor: https://blog.coinkite.com/troublesome-change/
Explanation from reporter: https://thecharlatan.github.io/Ransom-Coldcard/

Vendor: Coldcard
Title: Ransom attack on Coldcard’s receive address verification
Detail: By inserting newlines in the derivation path string sent to the Coldcard, the displayed characters could be split. This could trick users into verifying an address for a BIP32 derivation path that is not easily accessible.
Reporter: TheCharlatan
Bug: Bad input validation from host
Explanation from reporter: https://thecharlatan.github.io/Ransom-Coldcard/

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Mobile pairing information leak BitBox01
Detail: ?
Bug: Bad cryptography
Reporter: Saleem Rashid
Explanation from vendor: https://medium.com/shiftcrypto/bitboxapp-4-14-0-5e72575b0819

Vendor: Shift Cryptosecurity
Product: BitBox01
Title: Base64 Parser Buffer Overflow
Detail: The BitBox01 uses the NibbleAndAHalf library for base64 encoding. Among a bunch of potential issues, it contains a critical buffer overflow bug that would allow writing to adjacent heap memory. The NibbleAndAHalf library is not maintained for security bugs and should not be used by embedded projects where security is important. Since this bug could not be shown to critically change the program flow of the firmware, it received a low severity rating by the vendor (but was patched with the unmaintained NibbleAndAHalf library remaining in place).
Bug: Buffer Overflow, Bad choice of dependency
Reporter: Christian Reitter
Explanation from reporter: https://blog.inhq.net/posts/base64-parser-issues/

December

Vendor: Shapeshift
Product: Keepkey
Title: STM32 glitch attack
Detail: Same attack as executed by wallet.fail team on the Trezor, but now reproduced on Keepkey.
Bug: STM32F205 hardware weakness
Reporter: Kraken
Explanation from reporter: https://blog.kraken.com/post/3248/flaw-found-in-keepkey-crypto-hardware-wallet-part-2/

Vendor: Shapeshift
Product: Keepkey
Title: USB Packet Handling Bug
Detail: Insufficient checks in the USB packet handling of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow out-of-bounds writes on the stack via crafted messages. The vulnerability could allow code execution or other forms of impact. It can be triggered by unauthenticated attackers and the interface is reachable via WebUSB.
Bug: USB buffer overflow
Reporter: Christian Reitter
Explanation from vendor: https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3
Explanation from reporter: https://blog.inhq.net/posts/keepkey-CVE-2019-18671/

Vendor: Shapeshift
Product: Keepkey
Title: Mnemonic Wipe Bug
Detail: Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow a partial reset of cryptographic secrets to known values via crafted messages. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. This vulnerability can be exploited by unauthenticated attackers and the interface is reachable via WebUSB.
Bug: Secrets not wiped fully, unclear at this time how this was achieved.
Reporter: Christian Reitter
Explanation from vendor: https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3
Explanation from reporter: https://blog.inhq.net/posts/keepkey-CVE-2019-18672/

Vendor: Shift Cryptosecurity
Product: BitBox02
Title: Bypass of monotonic counter in MCU
Detail: The monotonic counter limiting the number of attempts to enter the correct password could be bypassed. The monotonic counter of the Secure Chip was still active though, thus limiting the number of available attempts to 730’500 attempts. Assuming a special made device for brute-forcing needs about 10 seconds to guess a password, reaching the upper limit would take approximately 85 days (non-stop). The probability of an attacker guessing, for example, a random 5 character password using lowercase, uppercase and digits is 0.08%, 6 characters is 0.012%, and 7 characters is 0.00002%. The vulnerability was patched with a series of robustness improvements to the firmware and by using the MCU’s memory protection unit (MPU).
Bug: Weakness in firmware hardening
Reporter: Lazy Ninja
Explanation from vendor: https://medium.com/shiftcrypto/bitboxapp-4-16-0-with-bitbox02-firmware-5-0-0-release-7073ade23988
Explanation from reporter: https://www.cryptolazyninja.com/2019/12/bitbox02-weak-password-attack.html

Vendor: Shapeshift
Product: KeepKey
Title: PIN Extraction by Side Channel
Detail: Using a resistor shunt and power probe, a side channel attack could be launched against Keepkey’s PIN verification. Due to their usage of an non-constant time AES and memcmp implementation, two key components for quick bruteforcing, a PIN extraction attack could be launched. This exploit was patched by KeepKey in firmware version 6.4.1.
Bug: Non-constant time PIN verification
Reporter: Ledger Donjon
Explanation from reporter: https://donjon.ledger.com/keepkey-side-channel-attack/

Vendor: Coinkite
Product: Coldcard
Title: Multisig Change Script Vulnerability
Detail: The multisig change script could contain injected script opcodes. By adding a simple OP_DROP after the original multisig keys, the attacker could make the victim spend to an unintend address: 1 <pubA> <pubB> 2 CHECKMULTISIG DROP 1 <pubM0> <pubM1> 2 CHECKMULTISIG. This was patched by ensuring that the redeem script remains the same.
Bug: Bad transaction validation on device
Reporter: Dmitry Petukhov
Patch: https://github.com/Coldcard/firmware/commit/55f7cfd8ff6223a8f2a119519de2ee3c969bc06f/
Explanation from vendor: https://blog.coinkite.com/version-3.0.6-released/
Explanation from reporter: https://gist.github.com/dgpv/c580080cd6984fb0121b61f1e1b5db51/

2020

January

Vendor: Ledger
Product: Ledger Nano
Title: Monero Private Key Retrieval
Detail: Re-use of a parameter in the mlsag_sign function of the ledger monero app leads to possible spend key extraction by the host. Optimally, this parameter should be random and not re-used. In practice this was solved by keying the different HMACs used with specific values per operation. However there were multiple problems in the app that made the exploit easier. The writeup by ph4r05 gives a great overview of them.
Bug: Bad Crypto Implementation
Reporter: ph4r05
Explanation from vendor: https://donjon.ledger.com/lsb/008/
Explanation from reporter: https://deadcode.me/blog/2020/04/25/Ledger-Monero-app-spend-key-extraction.html

February

Vendor: Ledger
Prouct: Ledger Nano
Title: Monero tx unlock time not verified
Detail: Non-verification of the monero unlock time value could have allowed a compromised host to permanently lock-up a user’s monero. After the initial patch another bug (integer overflow) was introduced that would have allowed the host to show a wrong unlock time to the user.
Bug: Bad transaction validation on device
Reporter: TheCharlatan
Explanation from vendor: https://donjon.ledger.com/lsb/009/
Explanation from reporter: https://thecharlatan.ch/Wallet-Timelock/

Vendor: Trezor
Prouct: Model T
Title: Monero tx unlock time not verified
Detail: Non-verification of the monero unlock time value could have allowed a compromised host to permanently lock-up a user’s monero.
Bug: Bad transaction validation on device
Reporter: TheCharlatan
Explanation from vendor: https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-0-and-trezor-model-t-version-2-3-0-46deb141fc09
Explanation from reporter: https://thecharlatan.ch/Wallet-Timelock/

March

Vendor: Coinkite
Product: Coldcard
Title: Supply Chain Attack with attacker controlled Firmware
Detail: The Coldcard does a factory reset when an existing PIN is changed to an empty PIN , contrary to Coldcard’s claims that a factory reset is impossible. This can be used to distribute tampered devices without much effort. Coldcard has not patched the issue to date.
Bug: Bad PIN check / zero condition
Reporter: TheCharlatan
Explanation from vendor: https://blog.coinkite.com/supply-chain-trust-minimized/
Explanation from reporter: https://thecharlatan.github.io/Coldcard-Supply-Chain/

Vendor: Trezor
Product: Model T
Title: OP_RETURN treated as change output
Detail: By filling the address_n field with a change address in a Trezor protobuf message, an OP_RETURN transaction would be signed without user verification. This could potentially impact Omni Layer transactions that make use of the OP_RETURN data.
Bug: Bad transaction validation on device
Reporter: Saleem Rashid
Patch: https://github.com/trezor/trezor-firmware/commit/0903159d9b2df447434b9a5afdbca3eae8b4e52b
Explanation from vendor: https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-0-and-trezor-model-t-version-2-3-0-46deb141fc09

Vendor: Trezor
Product: Model T
Title: Malicious Change in Mixed Transactions
Detail: In Trezor’s two stage transaction validation and signing process claims about the addresses in the first stage were not sufficiently verified in the second stage. This could be used to insert a malicious 1of2 multisig change output into the transaction. This is very similar to an attack as discovered by Marko Bencun in October 2019.
Bug: Bad transaction validation on device
Reporter: Saleem Rashid
Explanation from vendor: https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-0-and-trezor-model-t-version-2-3-0-46deb141fc09

Vendor: Trezor
Product: Model T
Title: Insufficient field size check in Protobuf
Detail: When signing a bitcoin transaction, the field length of the previous transaction output hash should always be 32 bytes long. The Trezor Model T did not check this field correctly. Hidden in this long prevhash could be an unrelated output that the Trezor would then sign as part of the transaction. The attacker can then spend coins on this signed output.
Bug: Bad input validation and length restriction
Reporter: Saleem Rashid
Patch: https://github.com/trezor/trezor-firmware/commit/da89a17ce5c45972e5523dceb67ffbebf62d05c2
Explanation from vendor: https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-0-and-trezor-model-t-version-2-3-0-46deb141fc09

Vendor: Trezor
Product: Model T
Title: Inconsistent sanitization of transaction inputs
Detail: Yet another case of injecting a 1of2 multisig output as a change output. The attacker creates a single sig input and multisig output transaction. If the multisig field is sent in the protobuf message together with the single sig input, the device incorrectly marked the malicious multisig output as a change output.
Bug: Bad input and transaction validation on device
Reporter: Saleem Rashid
Explanation from vendor: https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-0-and-trezor-model-t-version-2-3-0-46deb141fc09

Vendor: All
Product: All hardware wallets with segwit support
Title: Large Transaction fee viat two Segwit transactions
Detail: A user has two UTXOs, one with value 15 BTC and hash_prev 1 and another with 20 BTC and hash_prev 2. He now creates a transaction spending 20BTC plus a small fee. For this the malware selects as input 1 the UTXO with hash_prev 1 and a value of 15 BTC and creates a faked input 2 consuming the hash_prev 2 of the UTXO with 20 BTC, but lies about the amount and sets it to 5.00001 BTC. The user confirms the transaction as spending 20 BTC plus 0.00001 BTC fee. The malware then gives an error and asks the user to re-sign the transaction. This time, it creates fake input 1 with hash_prev 1, but fake amount 0.00001 BTC and real input 2 with hash_prev 2 and fake amount 20 BTC. The user again sees that he is spending 20 BTC plus 0.00001 BTC fee and signs the transaction. The malware then takes input 1 of the first transaction and combines it with input 2 of the second transaction. This completes to a valid transaction with valid previous amounts, but with a fee of (20 + 15)-20 = 15 BTC. This extra fee can either be used as a ransom, or to share profit with a miner. The solution to this problem is to validate that the amount of the input transaction is not fraudulent. The only way to achieve this is checking that the transaction committed to in the transaction input actually contains the balance as claimed.
Bug: Time of check was not time of use for the transaction input balance validation. This disclosure had a wake of controversy, since non transaction index are now left without hardware wallet support.
Reporter: Saleem Rashid
Explanation from vendors:
https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-1-and-trezor-model-t-version-2-3-1-1eba8f60f2dd
https://donjon.ledger.com/lsb/010/
https://medium.com/shiftcrypto/bitbox-app-firmware-update-6-2020-c70f733a5330

June

Vendor: Ledger
Product: Ledger Nano X
Title: JTAG/SWD Protocols Enabled on STM32WB55 Unsecured Processor
Detail: The Ledger Nano X MCU had its debug interfaces enabled. This could effectively allow either a supply chain attacker or an evil maid to convert the device into a USB rubber ducky. However a scenario making the user effectively compromise her funds could not be constructed.
Bug: Debug interfaces open on production device
Reporter: Kraken Security Lab
Explanation from vendor: https://donjon.ledger.com/lsb/013/
Explanation from reporter: https://blog.kraken.com/post/5590/kraken-security-labs-supply-chain-attacks-against-ledger-nano-x/

August

Vendor: Skycoin
Product: Sky Wallet
Title: Protobuf tiny message buffer overflow
Detail: Disclosed among a host of memory issues found in the Skycoin Wallet firmware, the vulnerability triggers an out of bounds write in the protobuf message handling when a tiny message is sent. A very similar exploit was possible before on the Trezor One (on which the Sky Wallet is based). Though it can be triggered early in the USB communication and pre-authentication, it could not be leveraged at the time to gain unauthenticated access to the wallet.
Bug: Buffer overflow in protobuf message handling
Reporter: Christian Reitter
Explanation from reporter: https://blog.inhq.net/posts/skycoin-firmware-vuln//

Vendor: Ledger
Product: Ledger Nano X and S
Title: Bitcoin derived fork/altcoins cross account stealing
Detail: The Ledger Bitcoin app is an umbrella app for all bitcoin forks and bitcoin style altcoins. Apps for the specific coins are compiled by adding flags during the compilation process. This means that the key path validation and derivation is all done based on the logic in the Bitcoin app. An attacker can use this circumstance to sign transactions meant for one coin on another coin’s network, while making the user believe that he is indeed signing for the correct coin and network.
Bug: Bad key path validation and isolation between apps
Reporter: Monokh
Explanation from vendor: https://donjon.ledger.com/lsb/014/
Explanation from reporter: https://monokh.com/posts/ledger-app-isolation-bypass

Vendor: Coinkite
Product: Coldcard
Title: Bitcoin derived fork/altcoins/networks cross account stealing
Detail: The same as Ledger, but with Bitcoin testnet/mainnet
Bug: Bad key path validation and isolation between apps
Reporter: benma
Explanation from vendor: https://blog.coinkite.com/testnet-considered-useful/
Explanation from reporter: https://benma.github.io/2020/11/24/coldcard-isolation-bypass.html

Vendor: Shapeshift
Product: Keepkey
Title: Bitcoin derived fork/altcoins cross account stealing
Detail: Same as Ledger
Bug: Bad key path validation and isolation between apps
Reporter: TheCharlatan
Explanation from reporter: https://thecharlatan.ch/Coin-Isolation/

Vendor: Trezor / Keepkey
Product: All their hardware wallets
Title: A ransom attack on Trezor’s and KeepKey’s passphrase handling
Detail: Both Keepkey and Trezor allow entering the mnemonic passphrase aka 25th word on the host machine in order to create and seed a new wallet. There is no visual confirmation of this word on the device once it has been entered. This allows a compromised host or man in the middle to send an arbitrary/fake password to the device without the user noticing. The attacker can then choose to change this arbitrary/fake password in order to withhold access to the coins and can even ask for ransom in order to reveal the original passphrase again.
Bug: No visual confirmation of passphrase on device. toctou.
Reporter: benma
Explanation from vendor: https://blog.trezor.io/firmware-updates-for-trezor-model-t-version-2-3-3-and-trezor-model-one-version-1-9-3-c94f7a3b6fea
Explanation from reporter: https://benma.github.io/2020/09/02/trezor-keepkey-passphrase.html

Footnotes

Written on November 28, 2019

List of Hardware Wallet Hacks

2014

Juli:

2015

February:

March:

2017

August:

2018

February:

March:

May

July

August

September

October

November

December

2019

January

March

April

May

June

Juli

August

October

December

2020

January

February

March

June

August

Footnotes

Relevant blogs:

Vendor Security Programs:

Corporate Security Blogs: