Cyber firm cracks OneKey crypto wallets, raises broader questions of hardware security

But not everyone is convinced they are always a good idea, including a team of white hat hackers at a cybersecurity startup called Unciphered. The team has just published a video that shows them breaking into a device manufactured by OneKey, a Hong-Kong based firm that has raised $20 million in venture capital and that describes its product as an “open source wallet trusted by millions.”

Unciphered shared a preview version of the video with Fortune, explaining that the exploit involved using a “man-in-the-middle” attack to trick the OneKey device into thinking it was still in the factory. By doing this, Unciphered was able to get the device to relay the wallet’s seed phrase—a random, unguessable string of 12 or more words that serves as a password—to another part of the device’s computer system, capturing it along the way.

Taking possession of a seed phrase means it is possible to gain access to the digital assets inside a wallet and steal them by sending them to a different address. Or more simply, it’s like making a copy of the key to someone’s safety deposit box that can be accessed anytime and anywhere.

Here are images showing the exploit, which Unciphered says takes less than a second to conduct once the OneKey device has been disassembled and the “man-in-the-middle” component attached:

Yishi Wang, the founder of OneKey, confirmed the existence of the exploit, and told Fortune the company has since provided an update to repair it.

“We appreciate the assistance of Unciphered and other security white hats. The firmware vulnerability you mentioned above, which required physical access [and] specialized equipment, has now been fixed,” he said by email.

According to Unciphered, OneKey paid the company $10,000 in the form of a “bug bounty”—a term that describes a reward system, offered by many tech and crypto companies, to encourage white hackers to report and share vulnerabilities in a responsible fashion.

How safe are hardware wallets, really?

While the existence of vulnerabilities are always cause for concern, the reality is that not all exploits pose a significant real world danger. As the OneKey founder noted in his reply to Fortune, the vulnerability discovered by Unciphered required a hacker to have physical access to the device and a high degree of technical proficiency—a very different situation than a software exploit that can be sold or used by a low-level cyber-criminal.

Nonetheless, the danger is still real. According to Eric Michaud, the founder of Unciphered, the sort of person who possesses a hardware wallet typically owns a fair amount of digital assets, and is especially likely to be targeted by sophisticated criminals. He notes that crypto conferences provide a particularly target rich environment for thieves, including those who burgle hotel rooms.

In an interview, Michaud also observed that hardware wallets can provide a false sense of security, leading owners to fail to securely store their device on the false assumption hackers can’t crack it. And while hardware makers provide software updates to harden a device’s security—as OneKey did in response to Unciphered’s discovery—there is also the problem of older wallets whose manufacturer is no longer in business, or held by owners who neglect to update them.

More broadly, Michaud says Unciphered—which is staffed by longtime security researchers, some of whom have held national security clearances—is also concerned about a much broader range of hardware wallets than OneKey.

According to Michaud, multiple hardware wallet manufacturers recycle the same code base to make their products, meaning that a vulnerability discovered in one wallet is often found in other ones. The upshot is that those who rely on hardware wallets to guard their crypto need to remain vigilant.