Kraken Security Labs revealed on Jan 31. that Trezor hardware wallets and their derivatives tin be hacked to extract individual keys. Though the procedure is quite involved, Kraken claims that it "requires only 15 minutes of physical access to the device."

The attack requires a physical intervention on the Trezor wallet by either extracting its chip and placing it on a special device or soldering a couple of disquisitional connectors.

The Trezor chip must and so be connected to a "glitcher device" that would send it signals at specific moments. These break the built-in protection that prevents the scrap'south memory from being read by external devices.

The trick allows the attacker to read critical wallet parameters, including the private primal seed.

Though the seed is encrypted with a PIN-generated central, the researchers were able to brute forcefulness the combination in simply two minutes.

The vulnerability is caused by the specific hardware used past Trezor, meaning that the company cannot easily fix it. It would need to completely redesign the wallet and recall all existing models.

In the concurrently, Kraken urged Trezor and KeepKey users to not allow anyone to physically access the wallet.

In a coordinated response published by Trezor, the team minimized the impact of the vulnerability. The company argued that the attack would show visible signs of tampering due to the need to open the device, while too noting that the set on requires extremely specialized hardware to perform.

Finally, the team suggested users activate the wallet's passphrase feature to protect from such attacks. The password is never stored on the device every bit it is added to the seed to generate the private cardinal on the fly. Kraken also noted that this is a feasible alternative, though researchers referred to it as "a bit clunky to use in exercise."

The feature also adds significant responsibility to each user. The passphrase needs to be complex enough to not be easily brute forced besides, and forgetting it would completely lock users out of their money.

Cointelegraph reached out to Kraken for additional details, but had not received a response equally of press time. The article will exist updated every bit more information becomes available.