Key Takeaways:
- OneKey Mini has a “Massive critical vulnerability,” as demonstrated in a video by Unciphered.
- The wallet has been patched, and its makers strive to make it even more secure.
OneKey, a maker of cryptocurrency hardware wallets, claims to have already rectified a firmware vulnerability that made one of its hardware wallets easily vulnerable.
On February 10, cybersecurity startup Unciphered revealed in a YouTube video that they had discovered a means to “break open” a OneKey Mini by taking advantage of a “Massive critical flaw.”
A partner at Unciphered, Eric Michaud, claimed that it was feasible to put the OneKey Mini back in “factory mode,” bypass the security pin and delete the mnemonic phrase needed to retrieve a wallet by disassembling the device and adding coding. He added:
“Well it turns out it wasn’t engineered to do so in this case. So what you could do is put a tool in the middle that monitors the communications and intercepts them and then injects their own commands. We did that where it then tells the secure element it’s in factory mode and we can take your mnemonics out, which is your money in crypto.”
On the other hand, OneKey said in a statement released on February 10 that it had already repaired the security hole found by Unciphered, adding that its hardware team had updated the security patch “early this year” without causing any issues. OneKey stated:
“That said, with password phrases and basic security practices, even physical attacks disclosed by Unciphered will not affect OneKey users.”
The company said that while the vulnerability was alarming, the attack vector discovered by Unciphered couldn’t be utilized remotely and needed physical access to the device through a particular FPGA device in the lab to be executed. OneKey claims that during communication with Unciphered, it was revealed that other wallets had been discovered to have similar problems. OneKey mentioned:
“We also paid Unciphered bounties to thank them for their contributions to OneKey’s security,”
OneKey claims in a blog post that it has already taken tremendous measures to preserve the security of its users, including safeguarding them from supply chain assaults, in which a hacker swaps out a genuine wallet for one under their control. To maintain strict supply chain security control, OneKey has implemented measures such as tamper-proof packaging for deliveries and the employment of Apple supply chain service partners.
They intend to integrate onboard authentication and upgrade more recent hardware wallets with more advanced security features in the future. OneKey stated that although nothing can be completely secure, the main goal of hardware wallets has always been to shield customers’ money from malware attacks, computer infections, and other remote threats.