Unciphered posted a video showing a “Massive critical vulnerability” in the OneKey Mini. The creators say it’s been patched and they are now working on further securing the wallet.
Crypto wallet provider OneKey says it has patched a vulnerability in its software that allowed one of its hardware wallets to be compromised in one minute.
The YouTube video was posted on February 2. 10 from cybersecurity startup Unciphered revealed that they had found a way to exploit a “critical vulnerability” that allowed them to “crack” the OneKey Mini.
According to Unciphered member Eric Michaud, by jailbreaking the device and entering some code, it is possible to put the OneKey Mini back into “factory mode” and bypass the security pin, allowing a potential attacker to extract the passphrase mnemonic used to retrieve a wallet. “You have the CPU and the storage. The storage is where you keep your private keys. Now, the communication between the CPUs is encrypted, while the processing is done securely,” explained Michaud.
“Well, it turns out he wasn’t meant to do that in this case. So what you can do is to put an application in the middle that monitors communications and intercepts them and applies its own rules,” he said, adding:
“We’ve done that where it tells something safe and it’s in production mode and we can remove your mnemonics, which is your cryptocurrency.”
However, in a February 10 statement, OneKey said it had patched the security flaw identified by Unciphered, noting that its hardware team updated the security patch “early this year” without “anyone being affected” and that “all exposed weaknesses have fixed.”
“That said, with basic passwords and security practices, even the physical attacks exposed by Unciphered will not affect OneKey users.”
The company further pointed out that although the vulnerability is a cause for concern, the Unciphered vector cannot be used properly and wants to “distribute the device to physical access through a dedicated FPGA device in the laboratory.
According to OneKey, at the time of writing to Unciphered, it was revealed that other wallets have similar issues. “We paid a hidden fee to thank them for their commitment to OneKey security,” OneKey said.
In its blog, OneKey said it is working hard to keep its users safe, including protecting them from supply chain attacks – when a hacker replaces a real wallet. The OneKey system has included transparent packaging for shipping and the use of Apple’s own installation service providers to ensure tight supply chain security controls.
In the future, they hope to implement built-in analytics and upgrade hardware wallets with advanced security features. OneKey writes that the main purpose of hardware wallets is always to protect users’ money from malware attacks, computer viruses, and other remote threats, but unfortunately, nothing can be 100% safe.
“When we look at the entire hardware wallet manufacturing process, from silicon crystal to chip code, from firmware to software, it’s safe to say that given enough money, time, and resources, any obstacle can be overcome, even its nuclear weapons control systems.”
Get $200 Free Bitcoins every hour! No Deposit No Credit Card required. Sign Up