Earlier this year, Unciphered, a California-based cybersecurity startup, found a serious vulnerability in the popular OneKey Mini hardware crypto wallet. Its team of white hat hackers shared the details with the wallet manufacturer, so OneKey was able to address the urgent issue timely.
Unciphered revealed the details about the vulnerability in its YouTube video on February 9. As Eric Michaud, a partner at Unciphered, explained, it was possible to bypass the OneKey Mini recovery security pin by resetting the device to its factory mode. Luckily, the attack couldn’t be carried out remotely, since it required disassembling the device.
“You have the CPU and the secure element. The secure element is where you keep your crypto keys. Now, normally, the communications are encrypted between the CPU, where the processing is done, and the secure element,” Michaud explained.
“Well, it turns out it wasn't engineered to do so in this case. So what you could do is put a tool in the middle that monitors the communications and intercepts them and then injects their own commands.”
In its February 10 blog post, OneKey emphasized that the detected vulnerability required physical contact with a wallet. The company pointed out that physical wallets are designed to be effective against remote attacks in the first place.
“To be precise, the hardware wallet isolates your private key from the Internet, thus cutting off the means of remote attacks such as Trojan horses, phishing, computer viruses, etc. In the real world, the vast majority of attacks are done by remote means.”
Still, the hardware wallet provider “has made many efforts to prevent supply chain attacks.” In this type of security attack, a real wallet is replaced with a device controlled by a perpetrator. Some of the measures taken by OneKey to increase the security of its wallets include tamper-proof packaging and a recent implementation of security components that “will soon add onboard authentication.”
“When we look at the entire hardware wallet manufacturing process, from silicon crystals to chip code, from firmware to software, it’s safe to say that with enough money, time and resources, any hardware barrier can be breached, even if it’s a nuclear weapon control system,” OneKey wrote.
According to Coingraph, Unciphered received a $10,000 reward from OneKey for discovering and reporting the bug. OneKey encourages other cybersecurity teams and solo whitehats to explore its code published in the GitHub repository. The wallet manufacturer's bug bounties typically range from $250 to $5,000, depending on the severity of the detected issue.
“It’s a good thing that someone is correcting our mistakes, giving us the incentive to write world-class, high-quality code,” the OneKey team Unciphered hackers.
The company plans to continue enhancing the security level of its hardware wallets. One of the measures it is going to take is the introduction of security components with core business logic at the EAL6+ level or higher in the future.
EAL (Evaluation Assurance Level) represents the accuracy of implementation of Common Criteria or The Common Criteria for Information Technology Security Evaluation. Common Criteria are a set of computer security requirements defined in the international standard ISO /IEC 15408.
At press time, there were seven assurance levels. EAL6 states that the development environment and deployment of security engineering techniques provide sufficient protection of the information system against the risks classified as significant for high-value assets.
Meanwhile, Unciphered assured their followers that despite the recent bug, hardware wallets are still a more secure option for storing crypto assets than hot wallets.