OneKey, a company that provides cryptographic hardware wallets, has said that it has already patched a flaw in its firmware that made it possible for one of its hardware wallets to be compromised in under one second.
Unciphered, a firm in the field of cybersecurity, said in a video that was uploaded on YouTube on February 10 that it has discovered a means to “break open” a OneKey Mini by taking advantage of a “Massive major flaw” and exploiting it.
It was possible, according to Eric Michaud, a partner at Unciphered, to return the OneKey Mini to “factory mode” and bypass the security pin by disassembling the device and inserting coding. This would allow a potential attacker to remove the mnemonic phrase that is used to recover a wallet. This was made possible by returning the device to “factory mode.”
“You have the central processing unit as well as the security element. Your cryptographic keys will always be stored in the secure element. Michaud noted that in a typical situation, the connections between the central processing unit (CPU), which is where the processing is done, and the secure element are encrypted.
“Well, as it turns out, in this particular instance, it wasn’t built to do so. “What you could do is put a tool in the middle that monitors the communications and intercepts them and then injects their own commands,” he said, adding: “That being said, with password phrases and basic security practices, even physical attacks disclosed by Unciphered will not affect OneKey users.”
The company went on to emphasize that despite the fact that the vulnerability was concerning, the attack vector that was discovered by Unciphered cannot be used remotely. Instead, it necessitates “disassembly of the device and physical access through a dedicated FPGA device in the lab” in order to be possible to execute.
According to OneKey, after discussion with Unciphered, it was divulged that other wallets have been found to have similar difficulties. This was disclosed when it was discovered that other wallets had the same issue.
OneKey said that they have compensated Unciphered with bounties as a way of expressing gratitude for their contributions to the company’s security.
OneKey has said in a blog post that it has already taken significant precautions to secure the safety of its customers. These precautions include protecting customers against supply chain assaults, which occur when a hacker replaces a real wallet with one that is under their control.
Tamper-proof packaging for shipments has been one of the steps taken by OneKey, along with the use of Apple’s own supply chain service providers for the purpose of ensuring tight supply chain security management.
They have aspirations to add onboard authentication in the not too distant future and to update more recent hardware wallets with higher-level security components.
According to what was said by OneKey, the primary objective of hardware wallets has always been to safeguard the financial assets of users from cyber-attacks, computer viruses, and other potential threats; nevertheless, sadly, nothing can be completely secure.
“When we look at the entire manufacturing process of hardware wallets, from silicon crystals to chip code, from firmware to software, it’s safe to say that any hardware barrier can be breached with enough money, time, and resources; even if it’s a nuclear weapon control system.” “When we look at the entire manufacturing process of hardware wallets, from silicon crystals to chip code, from firmware to software,”
Source: https://blockchain.news/news/onekey-addresses-vulnerability-that-allowed-hardware-wallet-to-be-hacked