Kraken Security Labs has devised a way to extract seeds from both cryptocurrency hardware wallets offered from industry leader Trezor, the Trezor One and Trezor Model T. The attack requires just 15 minutes of physical access to the device. This is the first time that…
Sheesh. Trezor shouldn't have jumped on the physically secure bandwagon. 95% of the security of a hardware wallet is against malware, not thieves breaking into your apartment, and by trying to address the latter you harm HW auditing.
This type of attack has always been a concern with Trezor, since they don't have a separate secure crypto chip to store the key material like the Ledger has.
brianddkPlatinum | QC: BTC 617, Coinbase 111, CC 60 | Exch7 months ago
FWIW, the wallet.fail group disclosed that they had to let glitch.py run for 90 days to get a successful dump of the FW. The Kraken team mentioned it took 2 minutes to crack PIN 1234 and likely 3 minutes to depop the chip. I have my doubts they they were able to get a successful glitch in 10 minutes, but that appears to be their claim.
The PIN crack also seemed pretty slow to me. I would have expected a 4 digit pin to fall much faster than 120 seconds. They claim
The script was able to brute force any 4-digit pin in under 2 minutes.
That yields only 83.3 pins per second. At that rate a pin like 987654321 would take years.
Also the new sd-protect feature on model-T allows you to encrypt the FW with full AES-128 bit encryption instead of relying on a pin.
Other than that... yes, use a passphrase. The attack only works on wallets without passphrases.
> and where is the key for that encryption?
On a removable SD card that you remove while the device is idle / unplugged. Store Trezor on your keychain and SD in your FAIT wallet or in your phone or buried in a lead lined box in your back yard.
Now the trezor requires something you know (passphrase) and something you have (SD) to produce the wallet.
But as always... anyone who doesn't use a passphrase or doesn't remove the SD is just practicing poor security. On them.