Portland-based engineer shared his story of cracking a Trezor wallet on a YouTube video.
Joe Grand, computer engineer and hardware hacker, hacked into a Trezon One wallet at the request of its owners who had forgotten both his wallet passcode and the seed phrase. He was able to recover over $2 million worth of cryptocurrency.
Grand, also known by his alias “Kingpin”, uploaded a YouTube video where he explained the entire process of cracking the hardware without wiping its contents clean.
Did you know?
Subscribe - We publish new crypto explainer videos every week!
What is Ethereum 2.0? Upgrades Easily Explained With Animations
The wallet in question belongs to NYC-based entrepreneur Dan Reich. Along with a friend, he was planning on cashing out an original investment in Theta from 2018, then worth around $50 000. They realized that they had lost the security PIN for the storage device.
They attempted to guess the PIN themselves but stopped after 12 failed attempts, as they were getting close to the threshold of maximum allowed failures. After 16 unsuccessful attempts, the wallet is programmed to wipe itself clean.
As they did not have access to either the PIN nor the seed phrase, they opted to enlist help of a hacker. They got in touch with Grand, who embarked on a 12-week journey to crack the Trezor One wallet and recover the funds.
Grand first spent three months training without the access to the Reich’s wallet to avoid accidentally resetting it. On the day of the hack, he first made his discovery of the correct PIN by complete accident.
With the help of his wife, he retraced his steps through the whole day, leading up to the moment of the breakthrough. As he was looking through the source code of the Trezor device, he discovered a crucial entry point.
As he found out, during a firmware update, the Trezor One wallets temporarily transfer the key and the PIN to RAM, and return them back into flash after the update is successfully completed.
It turns out that I found an area in the source code where, on power-up, the secret information gets copied into RAM, and then when I do my glitch to defeat the security of the chip to give me access to RAM, the contents are there and I can get them out.
Grand realized that Reich’s version of the Trezor firmware copied the information to RAM rather than copying it. This meant that in a scenario where the hack failed, even if RAM was wiped clean, the data would remain stored in flash.
With this knowledge, Grand staged a fault injection attack by altering the voltage going into the chip inside the wallet. He was able to surpass the RAM security and obtain the PIN, rescuing Reich from the worst-case scenario of losing his assets.
Trezor responded on Twitter, stating that the vulnerability has already been fixed and won’t be present in new devices.