NinjaLab, a team of security researchers, has detected a vulnerability that went unnoticed for 14 years. It lies in the secure element hardware microcontrollers used by many cryptocurrency wallets.
The vulnerability affects, for example, the new Trezor (safe 4 and safe 5) and the entire YubiKey 5 series with firmware version lower than 5.7. The EUCLEACK attack requires physical access to the hardware wallet.
According to NinjaLab, this vulnerability went undetected for 14 years and around 80 top-level Common Criteria certification assessments.
According to NinjaLab's research summary, the vulnerability affects all devices running the library from Infineon Technologies, one of the largest manufacturers of secure components.
NinjaLab is a team of security experts. Source: https://ninjalab.io/eucleak/
What is the vulnerability found in wallets?
The discovery was made by Thomas Roche, co-founder of NinjaLab, who claims to have found a “side-channel vulnerability.” Having found it, he designed a lateral attack (EUCLEACK) that demonstrates that it is possible to breach the secure element microcontrollers carried by some cryptocurrency wallets.
The feasibility of this physical attack was demonstrated by NinjaLab on a YubiKey 5Ci, a security key model that uses the FIDO protocol, which is usually composed of a secure element.
In general, this lateral insecurity affects even newer microcontroller designs, such as those in the Trezor Safe series. Therefore, it does not affect the Nano or T models.
Finally, we show that the vulnerability extends to the newer Infineon Optiga Trust M and Infineon Optiga TPM security microcontrollers.
NinjaLab, security experts.
NinjaLab emphasizes that it has not yet proven that the EUCLEAK attack applies to any of these products. That said, this lateral attack on microcontrollers is theoretically possible.
Additionally, they warn that a physical attack of this type is difficult and requires a lot of resources. As a result, devices with this previously undiscovered vulnerability would remain safe.
The EUCLEAK attack requires physical access to the device, expensive equipment, custom software, and technical skills. Therefore, as far as the work presented here is concerned, it is still safer to use your YubiKey or other affected products as a FIDO hardware authentication token to log into applications rather than not using one.
NinjaLab, security experts.
Are Trezor wallets safe?
The above is in line with Trezor's statement . The company assures that users' recovery phrases for its wallets are not in danger. And that the detected vulnerability has nothing to do with the process of creating and protecting backup copies.
Trezor Safe Series. Source: https://x.com/Trezor
Additionally, he clarified some technical details about the relationship between the vulnerability and the Trezor architecture:
In theory, the Optiga vulnerability could allow someone to bypass authenticity control, but the risk of this resulting in counterfeit Trezors being sold is mitigated by a number of other tools at our disposal in the supply chain. As long as you've purchased your Trezor from our official e-shop or one of our official resellers, you don't have to worry about this!
Trezor, hardware wallet company
As NinjaLabs has stated, this vulnerability poses a limited risk to owners of secure element hardware wallets. That said, this event may serve as a reminder that even secure element chips can suffer from potentially dangerous vulnerabilities and design flaws.
An attitude influenced by this discovery should incline towards caution and foresight with regard to hardware wallets. Such an attitude would be in contrast to another unfortunately common tendency: that of granting an almost magical prestige to these chips, often marketed as unbreakable, invulnerable and indestructible.
