Author:
In a YouTube video shared on their channel, the cybersecurity team at Unciphered demonstrated a critical security vulnerability for the OneKey wallet that they discovered during research.
As is customary for the white hat discovery of vulnerabilities, the video was released after it was patched.
Lacking Customary Encryption
Unciphered, a cybersecurity startup whose main focus is recovering lost crypto for clients who no longer have access to their wallets, presumably uncovered the issue while attempting to recover funds for a customer. In the video, a OneKey wallet is disassembled and manipulated, with the Unciphered team inserting a piece of hardware that monitored communications between the wallet’s CPU and its secure unit.
Generally, the communication between the CPU and the secure unit – where the mnemonic and crypto are stored – is encrypted. However, for OneKey wallets, it appears this was not the case.
“Normally, the communications are encrypted between the CPU, where the processing is done, and the secure element. Well, it turns out it wasn’t engineered to do so in this case. So what you could do is put a tool in the middle that monitors the communications and intercepts them, and then injects its own commands.”
Factory Mode Bypass
By inserting their piece of hardware between the CPU and the secure unit, the team at Unciphered could trick the device into thinking it’s in factory mode, which then dumped the mnemonic onto the team’s device.
“We did that where it then tells the secure element it’s in factory mode, and we can take your mnemonics out.”
This would have allowed a bad actor who could have discovered the vulnerability to gain access to the wallet once it was reassembled.
Our Response to Recent Security Fix Reports https://t.co/Dp9nNp1D0U
— OneKey Open Source Wallet (@OneKeyHQ) February 10, 2023
It’s worth noting that in order to perform this hack, it would have been necessary for a bad actor to have physical access to the device, as it could not be performed remotely. Nevertheless, it’s important to note that the location of a hardware wallet can be exposed – take the Ledger breach, for example, where the data of the wallet clients was exposed, leaving them open to potential thefts as well as simple extortion attempts.
Thankfully, the issue has now been patched due to communication between the two companies. For their efforts, Unciphered received an undisclosed amount from OneKey’s bug bounty program.
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
