Cryptocurrencies, blockchain, NFT and new trends

Security firm Unciphered hacked into popular hardware wallet OneKey

Quick Take

  • Unciphered successfully hacked a popular hardware crypto wallet manufactured by OneKey.
  • OneKey acknowledged the vulnerability, updated the security patch and paid Unciphered a bounty for the responsible disclosure.

Cybersecurity startup Unciphered demonstrated a hack of a notable hardware crypto wallet manufactured by OneKey, a Hong Kong-based firm that raised $20 million last year.

Unciphered showed what’s called a “man-in-the-middle” hack of the wallet in a YouTube video where it was able to extract the mnemonic seed phrase, also known as the private key, from the OneKey Mini hardware wallet by exploiting a vulnerability. OneKey promptly patched the vulnerability after being contacted.

In a hardware wallet, private keys that grant access to crypto assets are stored offline and protected by a physical device, which makes them much less susceptible to hacking or theft. But Unciphered was able to bypass the hardware security mechanisms put in place within OneKey Mini.

The firm said it exploited the lack of encryption between the hardware wallet’s CPU and the secure element by using a field programmable gate array that was able to intercept communications between the processor and the secure element, which holds the device’s seed phrase.

No one affected

“The FPGA is a high speed processor also known as a field programmable gate array, allowing us to iterate through different algorithms, bypass the wallet’s security and extract the mnemonics,” Unciphered said.

OneKey acknowledged the vulnerability in a statement and said it had updated the security patch.

“No one was affected,” the company said, emphasizing that a potential attack, as demonstrated by Unciphered, cannot be exploited remotely and would require both the crypto wallet of a user and specialized FPGA equipment.

OneKey said it paid Unciphered a bounty for the disclosure.