Swiss hardware wallet provider Shift Crypto said it has disclosed a vulnerability in the Trezor and KeepKey hardware wallets that could allow for potential ransom attacks – while a potentially nasty new malware strain is threatening to cause widespread wallet theft if left unchecked.
The vulnerability can potentially be exploited when users enter passphrases on their devices.
And researchers at cybersecurity firm ESET have discovered a previously undocumented trojan malware family which spreads through malicious torrents, and employs various multiple methods to wring as much cryptoassets as possible from its victims – while remaining undetected throughout.
Fixed, not fixed
SatoshiLabs, the maker of the Trezor hardware wallet, has paid a bounty fee to Shift Crypto, and said it has fixed the issue in recently released upgrades.
A Shift Crypto employee using the handle benma, who said he is one of the main developers of the BitBox02 wallet, wrote in a blog post that he successfully performed a remote attack on both wallets by interactively modifying Electrum running on the Bitcoin Testnet.
The developer said that, in order for users’ cryptocurrency to remain safe, it is “important that the hardware wallet validates any input it receives from the computer.”
“In this case, the passphrase should be confirmed with the user on the device before using it to derive the seed. The Trezor and KeepKey did not do this in the case of the passphrase entered on the computer.”
As such, a malicious actor could modify “data transferred via USB could send an arbitrary fake passphrase to the Trezor/KeepKey, and hold any coins received in this wallet hostage,” wrote benma, who added,
“The passphrase entered by the user could simply be ignored, and the actual passphrase used would be only known to the attacker.”
The author added that Trezor released a fix in Trezor One v1.9.3 and in Model T v2.3.3 devices on September 2. Benma added that he has also spoken to a representative from KeepKey. The latter reportedly said that the company has not designed a fix for the issue yet, and is instead “working on higher priority items first.”
Meanwhile, ESET, which has named the trojan malware family KryptoCibule, has called the malware a “triple threat in regard to [cryptoassets],” as it uses its victims’ resources to mine coins, attempts to hijack transactions and extracts crypto-related files while using various techniques to avoid detection.
In a press release, Matthieu Faou, the ESET researcher who discovered the new malware family, said,
“The malware, as written, employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime. Presumably, the malware operators were able to earn more money by stealing wallets and mining [cryptoassets] than what we found in the wallets used by the clipboard hijacking component.”
Faou added that sophisticated work had obviously gone into the malware’s design. KryptoCibule uses the Tor network and the BitTorrent protocol as part of its communication infrastructure to stay under the radar. But mining and wallet theft were likely the malware makers’ key aims.
“Alone, the revenue generated by [the clipboard hijacking component] does not seem enough to justify the development effort observed.”