Crypto hardware wallet provider OneKey says it has addressed a vulnerability in its firmware that allowed one of its hardware wallets to be hacked in under a second.
On February 10, a video on YouTube posted by cybersecurity startup Unciphered showed that they had found a way to exploit a “massive critical vulnerability” in order to “unlock” the OneKey Mini.
According to Eric Michaud, partner at Unciphered, by disassembling the device and entering the coding, OneKey Mini can return to “factory mode” and bypass the security pin, allowing potential attackers to remove the mnemonic phrase used to recover a wallet.
https://www.youtube.com/watch?v=b8OrakRJmHE
“You have a CPU and a secure element. The secure element is where you store the crypto key. Now, usually, communication is encrypted between the CPU, where the process is completed, and the secure element,” explained Michaud.
“Well, it turned out not to be engineered in this case. So what you can do is put a tool in the middle that monitors the communication and intercepts and then injects the command itself,” he said, adding:
“We do that then tell the safe element that is in the factory mode and we can take your mnemonic, which is your money in crypto.”
However, in a February 10 statement, OneKey said it had resolved the security flaws identified by Unciphered, noting that the hardware team had updated security patches “earlier this year” without “anyone being affected,” and that “All the vulnerabilities disclosed have been or under repair.”
Our Response to New Security Fix Report https://t.co/Dp9nNp1D0U
– OneKey Open Source Wallet (@OneKeyHQ) February 10, 2023
“That said, with passwords and basic security practices, even a physical attack revealed by Unciphered will not affect OneKey users.”
The company further confirmed that while the vulnerability is present, the attack vector identified by Unciphered cannot be used remotely and requires “disassembly of the device and physical access through a dedicated FPGA device in the laboratory in order to be executed.”
According to OneKey, in correspondence with Unciphered, it was announced that other wallets were found to have the same problem.
“We also pay Unciphered rewards to thank you for your contribution to OneKey’s security,” OneKey said.
related: ‘Haunts me to this day’ – Crypto project hacked for $4M in hotel lobby
In its blog post, OneKey said it has gone to great lengths to ensure user security, including protecting against supply chain attacks — when hackers replace the original wallet with one they control.
OneKey measures include tamper-resistant packaging for delivery and the use of supply chain service providers from Apple to ensure strict supply chain security management.
In the future, they hope to implement onboard authentication and upgrade newer hardware wallets with higher security components.
OneKey notes that the main purpose of hardware wallets is to protect users’ money from malware attacks, computer viruses and other remote dangers, but admits that unfortunately, nothing can be 100% safe.
“When we look at the entire manufacturing process of the hardware wallet, from the silicon crystal to the chip code, from the firmware to the software, it is safe to say that with enough money, time and resources, any hardware barrier can be breached, even if it is a nuclear weapon. control system.”