ShapeShift — a Cryptocurrency swaps and hardware wallet producer — has put a lot of effort into addressing allegations regarding the recent KeepKey hardware wallet vulnerability.
On Aug. 4, a Medium post published highlighted the disclosure program ShapeShift had used to respond to the alleged vulnerability.
What the researchers believed could be a hardware vulnerability was compiled in a vulnerability report that came out on May 1.
An attacker would monitor power fluctuations through exploiting the purported vulnerability in what is referred to as a side-channel attack, thereby reading the details on wallet’s screen.
Ostensibly, attackers would have the opportunity to steal funds from the gadget in case they were monitoring the power levels as the on-screen was displaying sensitive information.
Vulnerability of the system
Since the information is displayed, an attacker would physically acquire the device, then, use an oscillometer to accurately monitor the KeepKey’s energy consumption in order to gain access to sensitive information that is on the on-screen.
Because of the physical accessibility of the alleged vulnerability, ShapeShift highlighted a simple manner of obtaining information:
“By comparison, it would be far easier to steal someone’s Recovery Phrase by simply looking over their shoulder while they set up their KeepKey or installing a hidden camera in the room in which it was being initialize.”
For attackers to get the contents displayed only the display’s energy consumption, some things are needed. Physical access, hardware skills, statistical data analysis, and specialized equipment, will be necessary according to ShapeShift for one to carry out a side-channel attack.
However, the interpretation of data will still remain more difficult, even if all of these requirements were met:
“Due to the larger display in KeepKey, multiple Recovery Phrase words are displayed at once. This makes it much more difficult to identify individual words (and the order of words) based off the power used by the screen.”
In March, Ledger — a major hardware wallet manufacturer — found out that Trezor’s (its direct competitor) devices had vulnerabilities. However, Trezor, in its response, claimed that the weaknesses that Ledger highlighted were not critical.