On May 18, 2020, new research from Ledger—a firm that makes hardware wallets itself—have demonstrated vulnerabilities in popular cold-storage options that would have revealed their PINs.
Specifically, researchers looked at wallet products from manufacturers Coinkite and Shapeshift that could have allowed an attacker to figure out the PIN that protects those wallets.
The report has indicated that all vulnerabilities have been fixed, and both hacks would have required physical access to the hardware devices, which reduces the risk of a successful theft.
However, Ledger contends that it’s still important to hold hardware wallets to the highest standards so as to ensure the security of digital assets.
Shapeshift fixed a vulnerability in its KeepKey wallet with a firmware update in Feb. 2020, while hardware flaw in Coinkite’s Coldcard Mk2 wallet persists, but it is fixed in the company’s current model Mk3, which started shipping in October last year.
How Hackers can Access Wallet PINs
In scrutinizing the KeepKey memory chip that stores a user’s authentication PIN, security researchers established that they could screen voltage output changes as the chip received PIN inputs to figure out the PIN itself.
By utilizing a decoder of voltage outputs of PIN retrievals, hackers could later identify the PIN of a target hardware wallet.
Luckily for users, ShapeShift patched the vulnerability in a firmware update that enhanced the security of the PIN verification function.
The repair makes it more challenging for attackers to cultivate a dependable catalogue of power consumption outputs that accurately map to PIN values.
That said, Shapeshift admitted last year that there’s almost no way to stop a sophisticated hacker with physical possession of a device from accessing a hardware wallet. The company advised users:
“ShapeShift recommends that you secure your device with the same caution you would with other investments or valuables. Protect your KeepKey like it could be stolen tomorrow.”
Hardware Wallet Flaws Highlight Need for Improvements
Essentially, hardware wallets which are devices like a USB drive that stores your digital coins and private keys locally without connecting to the internet, are still the safest way to go.
But “safest” doesn’t mean “perfect,” as showcased by the new research by Ledger. Certainly, hardware wallets still need much improvement to wholly secure digital assets.
For instance, Kraken Security Labs recently warned the crypto community that the widely-used Trezor bitcoin hardware wallet has a “critical” flaw—with hackers able to extract the wallet’s private keys in just 15 minutes.
However, Metal, a blockchain startup, are working hard to creating secure and trusted hardware wallets that offer encrypted storage that safeguards users’ digital assets offline.
Metal has established a reputation of making inroads for the cryptocurrency community, and they carried on with this by recently partnering with Lynx to build the future of blockchain technology.