A Shift Crypto employee successfully carried out a ransom attack on Trezor and KeepKey hardware wallets last May. While Trezor released a fix on September 2nd, KeepKey hasn’t fixed the problem yet.
According to a publication from September 2nd The vulnerability affected all cryptocurrencies on the affected devices. The exploit discovered on April 15th by the developers of Shift Crypto, it also affected KeepKey wallets, which were originally based on a branch of the Trezor Code and probably work on a similar basis.
When asked about the vulnerability, it appears that a KeepKey representative commented that a fix has not yet been developed. and stated that its developers “work on higher priority items first”.
The author from the blog post warned:
“A malicious wallet or an intermediary [ransomware] Changing data transferred via USB could send any fake passphrase to Trezor / KeepKey and keep received coins in this wallet. “
He added that too The passphrase entered by the user could “just be ignored”. in favor of a substitute passphrase that is only known to the attacker.
In May, Trezor, Ledger and KeepKey’s customer databases allegedly went up for sale following a serious data breach.
The hacker claimed to be in possession of Account information for nearly 41,500 Ledger users, 27,100+ Trezor users, and 14,000 KeepKey customers.
SatoshiLabs noted at the time that they did not believe the information was real.