Episode 2 – Side-channel Attacks
In this episode, we will display how some hardware wallets can be hacked with what is called a “side-channel attack.” Please note that this exploit doesn’t work on Ledger’s wallets.
Today, in the Donjon, we will introduce you to side-channel attacks. How are we able to hack an electronic cryptocurrency wallet in order to find the PIN code that should protect your access. The side-channel attack consists of recovering the hardware wallet’s PIN code and thus being able to use it without the owner’s knowledge. The principle of side-channel attacks is to observe the behavior of electronic wallets while they are computing a sensitive transaction. For example, the current consumption when the device handles a 1 will be different from the current consumption when the device handles a 9. A side-channel attack can be compared to a burglar who would use a stethoscope to listen to a safe and try to find the right combination with just the sound.
Firstly, we will start by opening the case. And then we can extract the integrated circuit. Here we have the heart of the hardware wallet. It is a microcontroller. It is this one that we will try to attack. We are going to weld some wires on the PCB to measure the power consumption of the circuit. Once the welds are finished, we will reconnect the wallet and put it on the test model. Now, we have everything set up.
We’re going to try and get the current consumption of the device while it’s running. I’m going to plug that into the oscilloscope. What we see here is just white noise. It’s just the idling components. It’s doing nothing and we’re going to try to put some random code PINs into the device and at the same time, record the current consumption and so that we can build a large database of PINs’ digit values corresponding to the current consumption. We see something emerging from the first digit. There’s one group here which has very high power consumption and the other one has very low power consumption. It’s a bit like if a digit leaves a different footprint but that means we can distinguish them easily just by looking at. Each of those bubbles is the power consumption associated to each of the digits of the PINs stored on the device. Once we have studied the electrical behavior for each PIN number, we will build a dictionary and then, on a real device, we will reuse this dictionary to try to identify the right PIN code to attack any hardware wallet of this brand.
Now, what we’re going to do is use a script that will help us statistically match the record’s traces we’ve just acquired with the traces that are in the register. So, I run the script, and it will guess the numbers one by one. The PIN has been recovered: it’s 1-3-3-7. The attack is successful, so we can access the bottom of the wallet. After the Donjon successfully hacked this hardware wallet, the Donjon Masters reported the vulnerability to the manufacturer. This flaw has been fixed.