The expert spent 12 weeks of trial and error, but finally found a way to recover the lost PIN.
Computer expert Joe Grand, known under the alias Kingpin, described how he managed to crack a Trezor One hardware wallet containing more than $2 million in funds.
The story began in 2018. New York entrepreneur Dan Reich and his buddy decided to cash out an investment of about $50k in the cryptocurrency Theta and suddenly realized they had lost the PIN code for the Trezor One wallet. After 12 unsuccessful attempts to guess the security PIN, they decided to stop trying before the wallet automatically deleted the data after 16 incorrect attempts.
This year, their investment grew to $2 million, and the buddies redoubled their efforts to access the funds. The only way to get the cryptocurrency without a PIN was by hacking. They contacted Grand, who spent 12 weeks of trial and error, but eventually found a way to recover the lost PIN.
The key to the hack was that during firmware updates, Trezor One wallets temporarily move the PIN and key to RAM only to later return them to flash memory after the firmware is installed. In the version of the firmware installed on Reich’s wallet, this information was not moved, but copied to RAM, meaning that in the event of a failed hack and RAM erasure, the PIN and key information would still be stored in flash memory.
After conducting what’s known as a fault-injection attack, which changes the incoming voltage to the chip, Grand was able to bypass microcontroller security designed to prevent hackers from reading RAM, and obtained the PIN needed to access the wallet and funds.
According to Trezor, the vulnerability that allows the PIN to be read from the wallet’s RAM is old and has already been fixed in the new devices.