(Editor’s note: The following is a guest post from friend of the site UKMayhem about an important security topic he wanted to bring to the Chia Community even though it isn’t strictly Chia-related. Yet.)
Some of the older crowd within the crypto scene may remember a name. That name is Joe Grand others may know him by his other name KINGPIN. In 1988, as part of the legendary Boston-based hacker collective L0pht Heavy Industries, Joe Grand testified before a US Senate committee on the state of government computer security at age 22.
This is a very well-known person within the hacker scene and also very well respected. Why is this important? Recently Joe was able to hack a hardware crypto wallet known as the Trezor and was able to recover $2million for the owner. Thankfully he is one of the “Good Guys”.
But this has led to a concern from myself and others that needs to be addressed, as we were sold the hardware wallets with the promise that they were “unhackable”. However, the reality is that these devices must be kept up-to-date, or the security promises cannot be kept.
This recent exploit discovered is known to affect the TREZOR HARDWARE WALLET FirmWare 1.6.0. Trezor has confirmed that that version 1.6.1 has patched this vulnerability.
Now we have seen a lot of newcomers into crypto and another thing that must be stressed to them is to back up your seed keys your recovery phrases. I’m not saying have them written down on-hand but a encrypted hard drive stored off-site or a fireproof lock box can save you even after the worst case scenarios. (editor’s note: Security is made up of Confidentiality, Integrity and Reliability. Do not sacrifice reliability for confidentiality or you will lose access to your funds forever).
Severity and importance of updating your devices
It seems like a long time ago, or I’m getting old, but think way back to 2017, which may only be a distant memory to most of us after the lockdowns. WannaCry crippled an estimated 230,000 computers in 150 countries causing approximately $4 billion in financial losses with in 24 hrs, 70,000 of which belong to the UK National Health Service crippling operations.
An exploit called Eternal blue, taken by the Shadow-Brokers from the NSA. Yes, that NSA allowed their ‘cyber-weapon’ to leak, and it was used in the wild a lot. According to Forbes “Since the NSA lost control of its EternalBlue exploit two years ago, the tool has been repurposed by criminals and state actors alike to wreak billions of dollars of damage, upend the lives of citizens, damage businesses and paralyze governments.”
All this was able to take place due to outdated and unsupported Windows systems, like Windows XP. Microsoft had already patched the vulnerabilities used by these exploits, but they were able to still make billions off the unpatched.
Why this is important
The exploit used by EternalBlue had been known about for a long time and was already patched! it was taken from people that it shouldn’t have been taken from and allowed to cause utter mayhem against innocent people, some of those the NSA was sworn to defend.
Now that an exploit has been discovered for the Trezor Hardware wallet running outdated Firmware and it has been exposed to public light there is going to be more then just “The Good Guys” working on this project as a lot of the groundwork has been done already. We may be about to see a wave of shady Recovery services that have no intention of recovering your funds for you!
I wrote this piece out of a desire to spread awareness of this exploit and the importance of updating your hardware wallet firmware and keeping it up to date. These are still computers running software and need to be kept up to date to protect against the latest attacks.
I shall leave with this comment please update your devices please back up your seeds or recovery phrases and don’t forget them or lose them. As hardware wallets start to support Chia and people move their funds over to them, remember this.