Software is Achilles Heel of Hardware Cryptocurrency Wallets
Cryptocurrency exchanges and private wallets have been fully in cyberattacker crosshairs as criminals seek to make the most of an exploding new financial market that some analysts say will reach $1 trillion by the end of the year. In response to these attacks, a number of manufacturers have come out with secure hardware wallets meant to harden the storage of the cryptographic keys that serve as proof of ownership of vast sums of money. However, a new piece of research expected out of Black Hat USA next month shows that these secure hardware storage devices may not be as locked down as their users expect them to be.
Presented by Sergei Volokitin, the research will show how software attacks can be used to break the Secure Element, the supposedly tamper-resistant hardware platform upon which these hardware wallets base their protection. Volokitin found vulnerabilities in these wallets' trusted execution environment (TEE) operating systems that could be manipulated to compromise memory isolation and cause the wallet to give up operating system and application secrets.
"Despite the fact that the device makes use of secure hardware to protect the private keys, a number of flaws in the software design and implementation allowed us to create various attack scenarios, including remote, physical and supply chain attacks," explains Volokitin, who works as a security analyst for Riscure, a global security test lab based in the Netherlands.