Hardware Glitch Renders KeepKey Helpless to Physical Brute Force Attacks

Kraken, a leading digital asset exchange, found a hardware vulnerability in ShapeShift’s KeepKey wallet, allowing a variable flow of voltage to bypass the pin code required to open the wallet. KeepKey customers are advised to ensure nobody else has physical access to their wallet, and to enable a BIP 39 passphrase to reduce vulnerability, December 10, 2019.

Securing Cryptocurrency Holdings

Some may argue that hardware wallets are meant to isolate cryptocurrency from the online world, so securing against physical attacks is out of the scope of a hardware wallet. But if a voltage glitch can open a hardware wallet, it shows negligence from the manufacturers side, and could indicate further flaws with the wallet.

Kraken continuously tests security infrastructure like hardware wallets under various conditions, trying to find vulnerabilities as they have with KeepKey. Although the process requires a fair amount of technical knowledge, the exchange estimates a consumer-friendly glitching device can be made for around $75, which, ironically, is cheaper than the wallet itself.

BIP 39 is the implementation of a mnemonic pass phrase, consisting of 12-24 words in most cases. Using this, rather than an 1-9 digit PIN, eliminates the vulnerability as the password isn’t store on the device itself. This is a lot more cumbersome for someone who uses their KeepKey often, but it’s worth it to eradicate the risk of losing funds.

Hardware Wallets Still Safest Option

The philosophical debate of whether a hardware wallet is meant just for offline protection as well as physical protection can be vigorously debated, but even with this flaw, a hardware wallet is still the best bet for maximizing security.

Jameson Lopp, CTO at Casa, regularly runs physical tests to see whether hardware wallets made of different metallic structures can survive a fire. This is broadly in line with the idea that a hardware wallet must be secure from all fronts.

Institutions who find self custody to be a pain outsource this to entities like Coinbase, Anchorage, and BitGo. These companies have robust internal mechanisms, but there is still a risk given that one single entity – that is publicly known – holds the keys to billions of dollars in cryptocurrency.

For the retail investors out there, hardware wallets are still the best bet, and Ledger is the only one that hasn’t reported a critical but thus far.