MINimum Failure - Stealing Bitcoins with Electromagnetic Fault Injection

MINimum Failure - Stealing Bitcoins with Electromagnetic Fault Injection

How secure is a typical hardware bitcoin wallet? Surely such a device would not pin the security on the execution of a single instruction, that if mis-executed would immediately reveal the critical recovery seed, right? Right??

This talk introduces an attack on the Trezor Bitcoin wallet that allows reading out of the recovery seed by performing electromagnetic fault injection (EMFI) through the enclosure of the device, without having to break or open the case. This means one can clone the device to steal bitcoins at a later date, without leaving any sign of tampering even should the physical seal be completely verifiable. And it comes down to a single comparison in the USB stack, which is replicated across many other devices (including most USB stacks on embedded systems).

To assist with the attack, this talk also introduces the PhyWhisperer - an open-source tool for performing advanced triggering on USB packets. This tool is used as part of generating the required timing for fault injection. Dumping memory has never been so fun or profitable! On the plus side, countermeasures can be reasonably implemented in most systems (and have already been added to the Trezor), so rather than just presenting a depressing future, this talk also gives the motivation for implementing the countermeasures.

Presented by