Kraken Security Labs has discovered a critical flaw in Trezor hardware wallets that would allow bad actors to extract an encrypted seed phrase.
Unfortunately for Trezor, this vulnerability cannot be fixed with a software upgrade.
It takes only 15 minutes
The Kraken team has determined that one only needs 15 minutes of physical access to the wallet in order to get the seed phrase. This is achieved by attacking its microcontroller through voltage glitching.
The budget constraints are minimal — a mass-produced glitching device could only cost around 75 dollars.
Both Trezor T and Trezor One models are susceptible to such attacks.
This flaw is hard to fix
Since the problem lies with the microcontroller of Trezor wallets, there is hardly anything that the Trezor team can do without completely redesigning its product.
The only surefire way for Trezor owners to protect their coins is to keep their wallets as far as possible from attackers since this vulnerability cannot be exploited remotely. Another possible solution is to enable a BIP39 phrase for encrypting the seed.