Swiss hardware wallet provider Shift Crypto said it has disclosed a vulnerability in the Trezor and KeepKey hardware wallets that could allow for potential ransom attacks – while a potentially nasty new malware strain is threatening to cause widespread wallet theft if left unchecked.
The vulnerability can potentially be exploited when users enter passphrases on their devices.
And researchers at cybersecurity firm ESET have discovered a previously undocumented trojan malware family which spreads through malicious torrents, and employs various multiple methods to wring as much cryptoassets as possible from its victims – while remaining undetected throughout.
Fixed, not fixed
SatoshiLabs, the maker of the Trezor hardware wallet, has paid a bounty fee to Shift Crypto, and said it has fixed the issue in recently released upgrades.
A Shift Crypto employee using the handle benma, who said he is one of the main developers of the BitBox02 wallet, wrote in a blog post that he successfully performed a remote attack on both wallets by interactively modifying Electrum running on the Bitcoin Testnet.
The developer said that, in order for users’ cryptocurrency to remain safe, it is “important that the hardware wallet validates any input it receives from the computer.”
“The passphrase entered by the user could simply be ignored, and the actual passphrase used would be only known to the attacker.”
The author added that Trezor released a fix in Trezor One v1.9.3 and in Model T v2.3.3 devices on September 2. Benma added that he has also spoken to a representative from KeepKey. The latter reportedly said that the company has not designed a fix for the issue yet, and is instead “working on higher priority items first.”
Meanwhile, ESET, which has named the trojan malware family KryptoCibule, has called the malware a “triple threat in regard to [cryptoassets],” as it uses its victims’ resources to mine coins, attempts to hijack transactions and extracts crypto-related files while using various techniques to avoid detection.
In a press release, Matthieu Faou, the ESET researcher who discovered the new malware family, said,
“Alone, the revenue generated by [the clipboard hijacking component] does not seem enough to justify the development effort observed.”