Dark times for secure elements (SE) and hardware wallets
1285 sats \ 4 comments \ @eddieoz 5 Sep bitcoin
Trezor uses a secure element (SE) from Infineon, specifically the SLE78, which they implement in their products as the Optiga Trust M. They assure customers that their seed backup is safe, but they fail to mention that the ECDSA private key is the information being stored, which could be seen as misleading to their customers.
My research shows that Ledger, Coldcard, and OneKey use secure elements from different manufacturers.
Coldcard uses two different secure elements from separate manufacturers. One of them is Microchip's ATECC608, and recently, the company was reportedly affected by malware, compromising some internal information. However, there is currently no information regarding the full extent of the impact.
Reference links below: Secure element vulnerability: https://ninjalab.io/eucleak/ Microchip's cyberattack: https://bleepingcomputer.com/news/security/microchip-technology-confirms-data-was-stolen-in-cyberattack/ https://sec.gov/Archives/edgar/data/827054/000082705424000181/mchp-20240904.htm
write
preview
related posts
0 sats \ 1 reply \ @Manikese 5 Sep
Are there any reports of SEs being hacked and Bitcoin being compromised or stolen because of it?
reply
0 sats \ 0 replies \ @eddieoz OP 5 Sep
No, it needs physical access to the device and a very specialist hardware to extract the private key.
The extractions were done on yubikeys, but Trezor has the same component. Then, theoretically it is possible, but it is hard and no one reported about it.
reply
0 sats \ 1 reply \ @Nuttall 5 Sep
Wack-a-mole.
reply
10 sats \ 0 replies \ @eddieoz OP 5 Sep
Wack-a-mole. totally
reply