Cracking a $2 million crypto wallet

Dan Reich and a friend decided to spend $50,000 on a bunch of Theta token, which was worth just 21 cents. They had to transfer everything to a hardware wallet after the Chinese government cracked down on cryptocurrencies, so they held the token with an exchange in China. Reich and his friend chose a hardware wallet, set up a PIN, and then got busy and forgot about it.

The token had sunk to less than a quarter of its value by the end of the year, and then crashed again. Reich wanted to cash out, but his friend couldn't remember the digits after he lost the paper where he wrote the PIN. After each failed attempt, the wallet doubled the wait time before they could guess again. The data on the wallet would be erased after 16 guesses. They stopped when they reached a dozen tries.

Reich wrote off the money in his mind. He was willing to take the loss until the price went up again.

The value of their token went up from a low of $12,000 to over $20,000. It would be worth $400,000 by the end of 2020 and rise to over $3 million by the end of the year. It was possible to get into the wallet without the PIN. Reich and his friend were going to find a way inside.

Managing the private keys associated with a block of currency has been a high-stakes challenge from the beginning. If anyone else gets hold of the key, they can grab your coins in a single anonymous transaction from anywhere in the world. If anyone on the internet is able to get your key, you can store it in a software wallet on an exchange service's server or in a software wallet on your own computer or mobile phone.

Hardware wallets are meant to solve that problem by storing the key locally, off the internet, and signing transactions inside the secure wallet when you insert the device into a computer and enter the PIN. If you forget the PIN and don't have the key written down, you're out of luck and can't access your currency on the block chain.

There are more than 3 million Bitcoins that are lost to owners.

This happens more often than you think. Chainalysis estimates that more than 3.7 million Bitcoins are lost to their owners. Currency can be lost due to a number of reasons: a computer or phone crashes, the owner misplaces their wallet, or the owner forgets their PIN.

Reich and his friend were desperate to crack their wallet as the value of their inaccessible token rapidly rose in 2020. They searched online until they found a conference talk about how to access a key in a wallet without a PIN. Reich was given hope after the engineers declined to help them.

Reich says that they knew it was possible and had an idea of how it could be done.

They found a financier in Switzerland who claimed to have associates in France who could crack a wallet. Reich couldn't go to the lab or know their names. He would have to give his wallet to the financier in Switzerland, who would take it to his French associates. Reich and his friend were desperate and crazy with the idea.

Reich was forced to delay their plans in 2020 due to cowardice and lock downs, but in February of 2021, with the value of their token now $2.5 million, Reich found a better option: a hardware hacker in the US named Joe Grand.

Grand has been hacking hardware since he was 10. In 1998, he testified to the US Senate about a vulnerability that could be used to take down the internet or allow an intelligence agency to spy on traffic. He co-hosted the Discovery Channel's "Prototype This" show in 2008 and teaches hardware hacking to organizations and companies that want to understand how hackers can attack their products.

If he messed up, there was a good chance that it wouldn't be recovered.

Reich, an electrical engineer who owns a software company, had a better ability than most to assess if Grand had the skills to pull off the hack. He knew they had found the right person after a single conversation. He remembers thinking that this is perhaps one of the best electrical engineers he has ever met.

Reich and his friend installed the same version of firmware on their wallet after Grand purchased several identical wallets to the one Reich and his friend owned. He spent three months researching and attacking his practice wallet. Reich, who lives in New Jersey, wouldn't fly out to Portland with his wallet until Grand cracked three wallets using the same technique.

If he messed up, there was a good chance that it wouldn't be recovered.

There was previous research that helped Grand. A 15-year-old hardware hacker in the UK named Saleem was able to help a tech journalist free $30,000 in Bitcoins by using a method he had developed.

glitching is a fault-injection method.

When the wallet was turned on, it made a copy of the PIN and key that was stored in the wallet's secured flash memory and placed it in the RAM. A vulnerability in the wallet allowed him to put the wallet into update mode and install his own unauthorized code on the device, which allowed him to read the PIN and key. The PIN and key were erased from the long-term flash memory because of the installation of his code. If Grand accidentally erased the RAM before he could read the data, the key would be unrecoverable.

The PIN and key that were copied to the device's RAM during boot-up were erased from the device's memory when it was put into update mode.

Reich had examined the method used in the conference talk that Grand looked at. The researchers found that despite the removal of the PIN and key that got copied to the RAM, they were still showing up in the RAM. They found that at some point during the update mode, the PIN and key were temporarily moved to RAM to prevent the new firmware from writing over the PIN and key, then moved back to flash once the new software was installed. They came up with a technique calledwallet. fail. This attack used a fault-injection method to undermine the security of the RAM and allow them to read the PIN and key when they were briefly in it.

The most secure level of security is called RDP2, which doesn't let you read the RAM, and the other two levels are called RDP1 and RDP0, which do. To prevent someone from reading the RAM, the wallets are configured to use RDP2.

The team found a way to lower the security of the chip by doing a fault injection attack. They could force the wallet into the update mode and then read it. The fault injection gave them access to the RAM without needing to exploit code.

The technique was great for a research project, but risky for Reich. There was only one version of the wallet during this period because the PIN and key were moved to the RAM. If you do something wrong, Grand could wipe the RAM, along with the key and PIN. Each time he messed up his wallet, they froze.

The computer finally called out after three and a half hours.

Grand stumbled on a better solution while trying to fix the problem. When Reich's wallet was powered on, the key and PIN were still copied to the device's RAM. If Grand glitched the device at the right time, he could change the security to RDP1 and read the RAM. If Grand accidentally wiped the RAM, the key and PIN would still be in flash. It was a much better solution than the previous ones.

The only problem with the glitching was that it took thousands of tries to hit the exact moment that would let him down the security of the microcontroller. It took three to four hours using an automated script, and there was no guarantee that it would work on Reich's wallet. Reich likened the wait to sitting through a stakeout.

If the glitch worked, Grand's computer would call out: "Hack the planet!", a nod to the 1995 film Hackers. Reich flew to Portland for two days to do the hack for real. They spent the first day getting everything set up, filming the hack with a professional crew, and the next day Grand launched his script.

They waited. And waited a bit more. They ate pizza and waited.

The computer finally called out: "Hack the planet!" after nearly three and a half hours. Grand could see the key and PIN on his screen. Reich and his friend were richer than before.

He moved the Theta token out of the account and sent a percentage of the money to Grand.

It was a thrilling moment for Grand, not just because of the money that was at stake. He says it helped him decide what to do with his skills.

Anything is hackable with enough time and effort.

He has been speaking with people who lost access to their funds, with the hope of helping them. James Howells in Wales lost his access to the virtual currency after he accidentally threw his hardware wallet in the trash. He has been trying to get his local council to let him dig through the dump. The city told him there was a good chance they could locate the area where his wallet might be, but they have so far refused his request.

A couple who lost their password to a software wallet on their computer have been speaking with Grand, as well as someone whose wallet is on a broken phone, which would require forensic repair techniques.

Grand wants to help make them more secure and not just crack wallet. He plans to report the vulnerabilities he finds to the vendor so they can be patched and not exploited by criminals. Does this mean he won't be able to hack at some point?

Grand does not think so. Reich is a person with older unpatched versions of firmware on their wallet, and he is confident newer devices will still be vulnerable in different ways even if they are patched.

Anything is hackable with enough time and effort, but it depends on the design.

The problem Grand was exploited in was fixed by Trezor. The wallet doesn't copy the key or PIN anymore. Pavol Rusnak, co-founder and CTO of the company, said that it now stores them in a protected part of flash that isn't affected during a firmware upgrade.

A core issue with the chip that allows fault injection still exists and can only be fixed by the chip maker or by using a more secure chip. Rusnak says his team explored the latter, but more secure chips generally require vendors to sign an NDA, something his team doesn't like. When Rusnak's team discovered a flaw in one secure chip they considered using, the chip maker invoked the NDA to prevent them from talking about it.

It's possible that Trezor wallet is vulnerable to other hacking techniques. Grand is working on a new method for hacking the STM32 microcontroller. It will work on the newer, more protected wallets. The ramifications go beyond wallet, so he won't release the details publicly.

The issue he found can't be fixed because the STM32 is used in billions of devices around the world. Which is awesome and frightening.