Cryptocurrency hardware wallet provider OneKey appears to have encountered a hacking attack. The hack in question was carried out by a cybersecurity initiative, meaning it came about through the act of “well-intentioned hackers”. The issue was caused by a security vulnerability in the platform. Here are the details…
Hacking attack on cryptocurrency platform
Cryptocurrency hardware wallet provider OneKey says it has addressed a vulnerability in its firmware that allowed one of its hardware wallets to be hacked within a second. A video posted to YouTube on February 10 by cybersecurity startup Unciphered showed that they had found a way to exploit a “Huge critical vulnerability” that allowed them to “crack open” the OneKey Mini.
According to Eric Michaud, a partner at Unciphered, by disassembling the device and adding coding, it was possible to return the OneKey Mini to “factory mode” and bypass the security part. “The secure element is where you store your crypto keys. Now, normally the communication is encrypted between the CPU where the processing is done and the secure element,” he explained. He also used the following statements:
Well, it turns out it wasn’t designed to do that in this case. So what you can do is put a tool that monitors the communications and then injects its own commands. We did this where it told the safe item it was in factory mode.
OneKey had already addressed the issue
However, OneKey said on Feb. 10 that it had already addressed the vulnerability identified by Unciphered, noting that the hardware team had updated the security patch “earlier this year” “without anyone being affected.” The project used the following statements:
All disclosed vulnerabilities have been fixed or are being fixed. However, with passphrases and basic security practices, even physical attacks exposed by Unciphered will not affect OneKey users.
Our Response to Recent Security Fix Reports https://t.co/Dp9nNp1D0U
— OneKey Open Source Wallet (@OneKeyHQ) February 10, 2023
The company also underlined that while the vulnerability is worrisome, the attack vector identified by Unciphered cannot be used remotely and requires “disassembly of the device and physical access via a dedicated FPGA device in the lab for execution to be possible.” According to OneKey, during correspondence with Unciphered, it was revealed that similar problems were present in other wallets. “We also paid them Unciphered awards to thank them for their contribution to OneKey’s security,” OneKey said.
Nothing is 100 percent safe
OneKey said in its blog post that it goes to great lengths to keep its users safe, including protecting them from supply chain attacks, when a hacker replaces a real wallet with one under his control. OneKey’s measures include tamper-proof packaging for deliveries and to provide strict supply chain security management cryptocoin.comAs we have also reported, the use of Apple’s supply chain service providers is included.
In the future, they hope to implement built-in authentication and upgrade newer hardware wallets with higher-level security components. OneKey wrote that the main purpose of hardware wallets has always been to protect users’ coin from malware attacks, computer viruses and other distant dangers, but unfortunately nothing can be 100 percent secure.
