Researchers have reportedly shown how they were able to hack the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. The demonstration of the hacks was published in a video on Dec. 27.
The research team behind the dubbed “Wallet.fail” hacking project is made up of hardware designer and security researcher Dmitry Nedospasov, software developer Thomas Roth and security researcher and former submarine officer Josh Datko.
During the conference, the researchers announced that they have been able to extract the private key out of a Trezor One hardware wallet after flashing — overwriting existing data — a custom firmware. However, they pointed out that this exploit only works if the user didn’t set a passphrase.
Pavol Rusnak, CTO of SatoshiLabs (the company behind Trezor), commented on Twitter that they were not notified through their Responsible Disclosure program prior to the demonstration, and that they will address the reported vulnerabilities through a firmware update at the end of January.
Moreover, the same group of hacker researchers also claimed during the talk that they were able to install any firmware on a Ledger Nano S, a leading hardware wallet. While the team used this vulnerability to play the game Snake on the device, one member of the team that found the exploit claimed:
“We can send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves [via software,] or we can even go and show a different transaction [not the one that is actually being sent] on the screen.”
The team also demonstrated that they found a vulnerability in the Ledger Blue, the most expensive hardware wallet produced by the company,