KeepKey Hardware Security Assurances
tl;dr KeepKey hardware was secure before and is even more secure now. A firmware update is not required.
There have been some concerns lately about the security of the hardware used in the KeepKey device. This blog post addresses the two specific concerns that we are aware of.
Variable PIN Failure Time
Last month, a security researcher described a theoretical vulnerability with the KeepKey device at DefCon 25. He described an attack where the clock and power levels were ‘fuzzed’. That is, they were subtly changed, pushing the boundaries of the operating parameters of the device. By doing so, he was able to get the device to reboot or shutdown, but ultimately, was unable to successfully exploit the device.
In one part of the presentation, the researcher mentioned that KeepKey had a potential vulnerability related to checking the PIN entered by the user against the PIN stored on the device. The concern was that the comparison method that we used had slight variances in how long it took, depending on which digit is incorrect. If the first digit is incorrect, it took less time to identify an incorrect PIN than if the second digit is incorrect. This timing difference is very small, but it is measurable with the right equipment.
This timing variability can be used by an attacker the optimize the number of guesses that have to be made to find the PIN. They start by trying every possible digit in the first position. The guess that takes a little longer to complete is the correct first digit. This process can then be repeated for each digit until the entire PIN is known. Rather than trying every combination, the attacker can crack the PIN digit by digit.
The DefCon presenter noted, correctly, that this attack is mitigated by the device’s exponential timeout. After you enter the wrong PIN on a KeepKey 3 times, it will start making you wait for longer and longer periods before you can try again. After you make your 4th failed attempt, you have to wait 8 seconds before you can try again. The wait time doubles for each subsequent failed attempt. By the time you have made 10 attempts, you have to wait 17 minutes. After 20 attempts, you have to wait more than 12 days. It quickly escalates the amount of time that even an optimized attack will take.
However, out of caution, we changed the PIN checking algorithm so that it will always take a constant amount of time. This eliminates the optimized digit-by-digit exploit. It is an overall improvement to the security of KeepKey, so we think it is a worthwhile change.
This update is available in firmware version 3.1.0 and higher. The easiest way to the updated firmware is to install the beta release from the Chrome Store and use that to install the firmware on your device.
The So Called ’15 second’ Hack
SatoshiLabs contacted KeepKey earlier this week to inform us of a new exploit. It was the same exploit that is described in a Medium post published this morning. The post describes how the attacker was able to retrieve the mnemonic seed words and other confidential information from a device by removing the case, soldering a button to the board, then installing a specially crafted firmware image to the device.
SatoshiLabs has already released a firmware update that prevents this attack from working on their device.
UPDATE: It turned out that KeepKey isn’t vulnerable to this attack.
Still, reading code is different than running it. In the next few days, we will verify that the exploit will not work on KeepKey devices by following the procedure described in the post. We will post another update once we have verified whether the vulnerability works on a KeepKey device.
Both of these attacks require physical possession of the device. They cannot be executed remotely or through malicious software. Both require the device to be opened and physically modified and/or the use of specialized equipment. We believe that previous versions of our firmware were immune from both of these attacks. The improvements in version 3.1.0 of the firmware only serve to strengthen the security of KeepKey.
Special thanks to SatoshiLabs for informing us of the vulnerability. It demonstrates their dedication to being responsible security professionals and we are thankful to them for the disclosure.