CryptoPotato
CryptoPotato
  • Crypto News
  • Margin Trading
  • Guides
    • Bitcoin & Crypto Guides 101
    • Bitcoin For Beginners
    • Editorials
  • DeFi & NFT
  • Buy
  • Language
  • Crypto News
  • Bitcoin For Beginners
  • Cryptocurrency Guides 101
  • Editorials
  • Bitcoin & Crypto Margin Trading
  • DeFi & NFT News
  • Bitcoin Price Analysis
  • CryptoPotato Crypto Fund
  • Ethereum (ETH) Price Analysis
  • Ripple (XRP) Price Analysis
  • Market Updates
  • Interviews
  • Buy Bitcoin with Card
  • bitcoin
    BTC$28,269.00
  • ethereum
    ETH$1,813.60
    • Market Updates
    • BTC Analysis
    • ETH Analysis
    • XRP Analysis
    • Interviews
    • Opinions
    CryptoPotato
    CryptoPotato
    • Crypto News
    • Margin Trading
    • Guides
      • Bitcoin & Crypto Guides 101
      • Bitcoin For Beginners
      • Editorials
    • DeFi & NFT
    • Buy
    • Language
    • Crypto News
    • Bitcoin For Beginners
    • Cryptocurrency Guides 101
    • Editorials
    • Bitcoin & Crypto Margin Trading
    • DeFi & NFT News
    • Bitcoin Price Analysis
    • CryptoPotato Crypto Fund
    • Ethereum (ETH) Price Analysis
    • Ripple (XRP) Price Analysis
    • Market Updates
    • Interviews
    • Buy Bitcoin with Card
    Home » Crypto News » Unciphered Reveals Now-Patched Vulnerability in OneKey Wallet

    Unciphered Reveals Now-Patched Vulnerability in OneKey Wallet

    Author: Jordan Lyanchev

    Last Updated Feb 13, 2023 @ 16:15

    The security vulnerability allowed anyone with physical access to the hardware wallet to swipe its mnemonics.

    In a YouTube video shared on their channel, the cybersecurity team at Unciphered demonstrated a critical security vulnerability for the OneKey wallet that they discovered during research.

    As is customary for the white hat discovery of vulnerabilities, the video was released after it was patched.

    Lacking Customary Encryption

    Unciphered, a cybersecurity startup whose main focus is recovering lost crypto for clients who no longer have access to their wallets, presumably uncovered the issue while attempting to recover funds for a customer. In the video, a OneKey wallet is disassembled and manipulated, with the Unciphered team inserting a piece of hardware that monitored communications between the wallet’s CPU and its secure unit.

    Generally, the communication between the CPU and the secure unit – where the mnemonic and crypto are stored – is encrypted. However, for OneKey wallets, it appears this was not the case.

    “Normally, the communications are encrypted between the CPU, where the processing is done, and the secure element. Well, it turns out it wasn’t engineered to do so in this case. So what you could do is put a tool in the middle that monitors the communications and intercepts them, and then injects its own commands.”

    Factory Mode Bypass

    By inserting their piece of hardware between the CPU and the secure unit, the team at Unciphered could trick the device into thinking it’s in factory mode, which then dumped the mnemonic onto the team’s device.

    ADVERTISEMENT

    “We did that where it then tells the secure element it’s in factory mode, and we can take your mnemonics out.”

    This would have allowed a bad actor who could have discovered the vulnerability to gain access to the wallet once it was reassembled.

    Our Response to Recent Security Fix Reports https://t.co/Dp9nNp1D0U

    — OneKey Open Source Wallet (@OneKeyHQ) February 10, 2023

    It’s worth noting that in order to perform this hack, it would have been necessary for a bad actor to have physical access to the device, as it could not be performed remotely. Nevertheless, it’s important to note that the location of a hardware wallet can be exposed – take the Ledger breach, for example, where the data of the wallet clients was exposed, leaving them open to potential thefts as well as simple extortion attempts.

    Thankfully, the issue has now been patched due to communication between the two companies. For their efforts, Unciphered received an undisclosed amount from OneKey’s bug bounty program.

    SPECIAL OFFER (Sponsored)
    Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).

    PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.

    You Might Also Like:

    • security_cover
      Using LastPass to Store Passwords? You Must Act Quickly
    • 3Commas Logo
      3Commas Admits APIs Were Leaked Contrary To Prior Statements
    • Polkadot_Security
      Here's Why Polkadot's DOT Is Not a Security According to the Web3 Foundation
    Tags: Security
    Enjoy reading? Share with your friends
    Facebook Twitter LinkedIn Telegram

    About The Author

    Jordan Lyanchev
    More posts by this author

    Jordan got into crypto in 2016 by trading and investing. He began writing about blockchain technology in 2017. He has managed numerous crypto-related projects and is passionate about all things blockchain. Contact Jordan: LinkedIn

  • bitcoin
    BTC$28,269.00
  • ethereum
    ETH$1,813.60
  • Join Our Community

    FacebookTwitter YouTubeTelegram


    Editorials
    Artificial Intelligence & Crypto Guide: Here Are the Top 5 AI Coins

    Artificial Intelligence & Crypto Guide: Here Are the Top 5 AI Coins

    How to Keep Your Crypto Safe, MetaMask Future Plans, and Digital Identities: Talking Wallets With PM Alex Jupiter

    How to Keep Your Crypto Safe, MetaMask Future Plans, and Digital Identities: Talking Wallets With PM Alex Jupiter

    What is Optimism (OP): Guide to One of Ethereum’s Layer-Two Scaling Solutions

    What is Optimism (OP): Guide to One of Ethereum’s Layer-Two Scaling Solutions

    Why ZK-Rollups Are the Future of Ethereum Scaling: Interview with StarkWare PM Gal Ron

    Why ZK-Rollups Are the Future of Ethereum Scaling: Interview with StarkWare PM Gal Ron

    2022 Was Crypto’s Dot Com Bust: Let’s Recap Tech Stocks After 2000 (Opinion)

    2022 Was Crypto’s Dot Com Bust: Let’s Recap Tech Stocks After 2000 (Opinion)

    How Long Will the Ethereum LSD Narrative Last? Talking 2023 Trends with Nansen’s Martin Lee

    How Long Will the Ethereum LSD Narrative Last? Talking 2023 Trends with Nansen’s Martin Lee

    Everything That’s Going on With Pi Network: From Start to Latest Controversial Listing

    Everything That’s Going on With Pi Network: From Start to Latest Controversial Listing

    Join Our Newsletter
    Become a CryptoPotato VIP
    One Weekly Email Can Change Your Crypto Life.
    Sign-up FREE to receive our extended weekly market update and coin analysis report
    We NEVER send spam. You can unsubscribe at any time.
    Invalid email address
    Thanks for subscribing!
    Footer Logo
    About
    Advertise on CryptoPotato
    About Us | Contact Us | Careers
    Editorial Policy
    Terms of service | Privacy Policy | GDPR
    More Sections
    IEO List | Evaluations
    Airdrops
    Scholarship
    Disclaimer
    Disclaimer: Information found on CryptoPotato is those of writers quoted. It does not represent the opinions of CryptoPotato on whether to buy, sell, or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk. Full disclaimer
    © Copyright CryptoPotato 2016 - 2021
    Scroll to top
    One Weekly Email Can Change Your Crypto Life.

    Sign-up FREE to receive our extended weekly market update and coin analysis report

    We never send SPAM. You can unsubscribe at any moment
    Invalid email address
    Thanks for subscribing!