Two Novel Crypto Wallet Exploits, Explained
At the ‘Off the Chain’ Web3 security conference in San Francisco in June, Unciphered–a cryptocurrency asset recovery company–unveiled three novel exploits impacting popular (and once-popular) crypto wallets Electrum Bitcoin Wallet, Trezor One, and Ethereumwallet.com.
While the recovery of more than 1400 private keys from the long-defunct and non-custodial crypto wallet website Ethereumwallet represented the largest crypto sum accessed by Unciphered, the conference host also revealed significant vulnerabilities affecting the two other wallets.
Unciphered’s two bitcoin-relevant exploits targeted the widely trusted Electrum wallet and the Trezor One hardware vault. Eric Michaud, the co-founder of Unciphered and the ‘Off The Chain Conference’ said the Electrum vulnerability was the most significant hack disclosed by his team. In the hands of a blackhat, noted Michaud, the Electrum remote code execution (RCE) exploit “could have caused a lot of trouble.”
For bitcoin users, this exploit duo is consequential, given Electrum and Trezor’s adoption by more sophisticated and wealthier members of the crypto community.
The Electrum RCE
Launched in 2011, Electrum is one of the oldest and most popular wallets in existence. Specifically, Electrum is world-renowned among bitcoiners for its security safeguards and non-custodial architecture, meaning that depositors always have full control over their crypto assets, compared to centralized exchanges.
Electrum also comes standard and pre-installed on the Tails Linux Debian portable operating system, which is favored by pro-privacy and anti-surveillance advocates, along with more sophisticated users of the dark web. At the conference, Unciphered demonstrated a vulnerability in the form of an adversarial QR code targeting Electrum wallets running on Windows 10 machines.
This vulnerability impacted every Electrum version released since April 2015 until a week before the security conference (when it was patched), Michaud said in a recording of the exploit demonstration. The Electrum QR code exploit facilitated “authentication token capture” which could have enabled an adversary to access a compromised Electrum wallet account on a Windows 10 device and all bitcoins contained therein.
In the recording of the Electrum hack demonstration, Michaud likened the exploit to a Log4J-level vulnerability, referencing the “catastrophic” open-source, supply-chain flaw in the logging library used by Java applications, which was discovered by an Alibaba security researcher last November. In a similar vein to the Log4j RCE vulnerability, the Electrum Wallet QR code function did not check the validity of the input it was reading, allowing a hypothetical attacker to deploy whatever malicious implant they could have staged.
Michaud also noted this malicious QR code could have “potentially impacted Electrum wallets on every operating system, even those on mobile devices.” The amount of Bitcoin and other crypto assets that could have been swiped by adversaries willing to invest time and effort into using this “modified payment request” QR code is potentially very large, given the popularity of this wallet with depositors who are more likely to be holding more sizable crypto portfolios.
Compounding the potential blast radius of this vulnerability are some 2,700 forks of the Electrum source code, according to the Wallet’s GitHub repository. Michaud said these forks represent other projects that borrowed Electrum’s open GitHub code to build their own wallet applications.
While many of these forked projects are not widely used, some well-known providers use Electrum as the basis for their own wallets, including Electron Cash Wallet (Bitcoin Cash), Electrum-LTC (LiteCoin), Electrum-Atom (Bitcoin Atom), Electrum-SV (Bitcoin SV), Electrum-RVN (RavenCoin), Electrum-Qtum, and Electrum-Zcash.
These projects were thus vulnerable to the same kind of QR code attack. Luckily, Electrum and other forked large-user projects using the Electrum code base patched this QR code vulnerability ahead of the conference, following Unciphered’s disclosure of the exploit to the Electrum team, Michaud said.
Thomas Voegtlin, the Berlin-based founder of Electrum Technologies and its eponymous wallet, reviewed Unciphered’s attack on his product and said it’s “difficult to assess the severity of this vulnerability. The exploit that was demonstrated is rather a chain of exploits, that seems to require very specific conditions. We did not receive full information from Unciphered about the exact setup they used.”
“Nevertheless, we can infer that a particular SMB (Server Message Block) network configuration is needed, that the attacker needs to have access to the same trusted network as the victim, that the attacker needs to convince the victim to scan a payment request of theirs, and that the victim’s Windows password needs to be weak and amenable to bruteforce attack,” said Voegtlin.
SMB is a communication protocol that is interoperable across the most common operating systems, and which is “used for sharing access to files, printers, serial ports and other resources on a network.”
Ultimately, Voegtlin said he believes it is “unlikely” the Electrum vulnerability uncovered by Unciphered “could have been exploited under realistic conditions.” The Electrum team is nevertheless “thankful” that Unciphered disclosed the exploit to them, he said.
The next most significant exploit demonstrated at the conference was the Trezor One wallet bruteforce attack. The Unciphered co-founder said his team set the world record for the fastest time to crack a new and fully patched Trezor One, bypassing the hardware wallet’s recently upgraded encryption in just under 30 minutes.
This exploit is derived from the ‘critical flaw’ uncovered by crypto-exchange Kraken’s security team back in January 2020. In order to hack Trezor anew, Unciphered developed an entirely novel bruteforce attack tool that is more sophisticated than Kraken’s old ‘readout protection downgrade’ (RDP) exploit. Specifically, Unciphered rigged a cluster of nine graphics processing unit (GPU) cards to launch a scalable attack that exhausted all of Trezor’s nine-digit pin combinations in record time with new proprietary code.
In his demonstration, however, Michaud noted that several key steps in the exploit chain had been omitted to prevent bad actors from illegally compromising Trezor products. Also, prior to this exploit, a typical central processing unit (CPU) on a PC only had the computing power to execute pin-code combination attempts at around 25 pins per second using the previously released Kraken Labs code, according to Unciphered’s chief technology officer, Tom Smith.
On a normal PC, this limitation means it would have taken over 300 years to crack a 12-digit Trezor pin and a proportionally shorter amount of time for a nine-digit combination, said Smith. With this new bruteforce tool, however, Unciphered was able to crack a latest-edition Trezor One, launching pin code combinations at the speed of over 500,000 pins per second.
Harnessing this new bruteforce capability enables Unciphered to crack a 12-digit pin in less than a week and a nine-digit combination in less than 15 minutes, Smith said. The Trezor team, “clapped back,” in Michaud’s words to Unciphered presentation, with this tweet adding additional context to the apparent exploit.
“Using a passphrase fully mitigates the attack,” said Trezor, referencing their 2020 blog post response to the RDP exploit disclosed by Kraken. Trezor also said they were working with Czech security startup Tropic Square to improve the “physical security” of their products.
Josef Tětek, a Prague-based bitcoin analyst for Satoshi Labs, Trezor’s parent company also told Bitcoin Magazine the following: “Regarding potential vulnerabilities, we have a responsible disclosure program and are happy to work with well-intentioned researchers. We are not aware of any vulnerability compromising the passphrase protection.”
“We have addressed the previously discovered vulnerability bypassing the PIN protection on our blog here. It’s worth noting that any such vulnerabilities are linked to an attacker getting a physical hold of the device and cannot be performed remotely. To mitigate the risk of attackers getting hands on users’ Trezors, we advise using a passphrase.”
When asked about this response, Unciphered said that they have helped customers recover passphrase protected or hidden wallets using proprietary tools they’ve developed, but added the caveat that they have a thorough profiling method they use to narrow down the scope of possibilities to try when confronted with particularly complex passphrases.
Beyond wallet hack demonstrations and helping bitcoin investors locked out of their funds regain access, it remains to be seen how the digital asset recovery industry business will evolve during this most recent crypto winter cycle and all the fraud investigations rapidly unfolding globally in the wake of its icy devastation.