With the rapid growth in popularity of the cryptocurrencies, a need emerged for secure devices to store private keys and perform crypto operations. Although the idea of secure devices protecting access to financial assets is not new and such devices, namely chip bank cards, were on the market for a few decades now. Despite the fact that there are a lot of chips and products designed to meet the highest standards bank cards have to meet, additional functionality required by the cyrptocurrency applications demanded new devices to be developed. Nowadays there are multiple hardware wallet designs on the market promising users to protect their private keys at all cost, but not all hardware designs can provide the same level of security. In this research one of the most popular hardware wallet's physical security was put to the test. An exploit, allowing an attacker with physical access to the device to change the device's PIN and get the full access to its secrets, is presented.
Sergei Volokitin is a security analyst at Riscure in the Netherlands where his work is mostly focused on security evaluation of embedded systems and security testing of smart card platforms and TEE based solutions. He has a number of publications on Java Card platform attacks and conference presentations on hardware security.