Hackers typically want to remain as anonymous as possible, keeping their trade specialties a secret from the public. However, this hardware hacker and computer engineer revealed to the world how he hacked his way through a Trezor One hardware wallet containing over $2 million.
The hacker in question is Joe Grand, who also goes by the alias “Kingpin,” who uploaded a video on YouTube explaining how he managed to do it.
In 2018, NYC-based entrepreneur Dan Reich and his friend cashed out an investment of approximately $50,000 worth of Theta. However, they realized they had forgotten the security PIN for the Trezor One wallet, which contained the tokens from that investment. They tried unsuccessfully guessing the PIN about 12 times before deciding to stop, as the wallet will wipe itself clean after 16 unsuccessful tries.
However, the $50,000 investment from 2018 grew to $2 million this year, so they decided to try re-accessing the wallet. The only other way to access the contents of the hardware wallet without the PIN or seed phrase was through hacking.
Reich and his friend decided to contact Grand, who spent about 12 weeks attempting to access the wallet. However, after many trials and errors, he successfully recovered the PIN.
The key reason why the hack was successful is that Trezor One wallets typically move the PIN and key to the RAM temporarily whenever there’s a firmware update. After installing the new firmware, the wallet moves the information back to flash. However, Grand noticed that this wasn’t the case for Reich’s wallet.
Instead of moving the information, the firmware version on the entrepreneur’s wallet was copied to the RAM instead. In other words, if the hack didn’t go smoothly and all information on the RAM got deleted, the flash would still have information on the PIN and key.
Grand used a fault injection attack, which is a technique that changes the amount of voltage going into the chip. With this technique, the hacker sidestepped the microcontrollers’ security, which is put in place to stop hackers from gaining access to the RAM. Then, he obtained the lost PIN to allow Reich and his friend to access their funds.
In his explanation video, Grand says:
Trezor recently tweeted that the vulnerability that allows people to get information from the RAM has since been fixed for new devices. However, unless Trezor changes the microcontroller fault injection, it’s still possible for hardware wallet users to experience attacks in this way.