A Shift Crypto employee successfully deployed a ransom attack on Trezor and KeepKey hardware wallets last May. While Trezor released a fix on September 2, KeepKey has yet to fix the issue.
According to a blog post published on September 2, the vulnerability affected all cryptocurrencies on affected devices. The exploit, which was first spotted on April 15 by developers Shift Crypto, also affected KeepKey wallets — which were originally based on a fork of Trezor’s code and likely operate on similar foundations.
When asked about the vulnerability, a KeepKey representative apparently commented that a fix had not yet been developed, explaining that their developers “are working on higher priority items first.”
The blog post’s author warned:
“A malicious wallet or a man-in-the-middle [ransomware] modifying data transferred via USB could send an arbitrary fake passphrase to the Trezor / KeepKey, and hold any coins received in this wallet hostage.”
He also added that the passphrase entered by the user could be “simply be ignored,” in favor of a replacement passphrase, only known to the attacker.
In May, the customer databases of Trezor, Ledger, and KeepKey were allegedly listed for sale following a substantial data breach.
The hacker claimed to be in possession of account information corresponding to nearly 41,500 Ledger users, over 27,100 Trezor users, and 14,000 KeepKey customers.
SatoshiLabs noted at the time that they did not believe the information to be genuine.