This Popular Hardware Wallet was Hacked by a Cybersecurity Firm – Should You Be Concerned?
Crypto hardware wallet provider OneKey was hacked by cybersecurity startup Unciphered - in one second. The wallet manufacturer claims the vulnerability in its firmware that allowed the breach has been fixed.
On February 9, Unciphered posted a video on their YouTube channel, stating that they had found "a massive critical vulnerability," which they managed to exploit in a single second and crack OneKey.
Eric Michaud, a partner at Unciphered, went on to explain how the hack works, noting that the device has the central processing unit (CPU) that's in charge of processing and "the secure element" where crypto keys are kept. The communications between these two are normally encrypted.
However, Michaud said,
"[It] turns out it wasn’t engineered to do so in this case. We figured that out. So what you could do is put a tool in the middle that monitors the communications and intercepts them and then injects their own commands. We did that where it then tells the secure element it’s in factory mode and we can take your mnemonics out, which is your money in crypto."
So, basically, a bad actor could insert coding after disassembling OneKey Mini, return the device to 'factory mode', bypass the security pin, and take the mnemonic phrase.
The team contacted OneKey, engaging the bug bounty program, and they were willing to work with Unciphered to patch the vulnerability.
Just a day after the video was published, OneKey issued a statement, saying that "no one is affected," and that "all disclosed vulnerabilities have been or are being fixed."
The wallet provider said that,
"Earlier this year, we received a responsible disclosure from cybersecurity startup Unciphered that validated a potential vulnerability in the OneKey firmware, and our
Read more on cryptonews.com
