Cryptocurrency swaps and hardware wallet producer ShapeShift addressed recent KeepKey hardware wallet vulnerability allegations.
ShapeShift responded to an alleged vulnerability submitted through its responsible disclosure program in a Medium post published on Aug. 4. Per the announcement, the firm received a vulnerability report through the program on May 1, which described what the researchers believed to be a hardware vulnerability.
The purported vulnerability would allow an attacker to read what was on the wallet’s screen by monitoring power fluctuations to the display in what is known as a side-channel attack. If attackers were monitoring the power levels while sensitive information was displayed on-screen, this would ostensibly give them the opportunity to steal funds from the device.
The “vulnerability” is impractical
ShapeShift notes that, to obtain access to sensitive information displayed on-screen, an attacker would need to have physical access to the device and accurately monitor the KeepKey’s energy consumption with an oscillometer (or a similar instrument) as the information is displayed.
ShapeShift explains that, since this alleged vulnerability would require physical access, there would be a simpler way to acquire the information:
ShapeShift states that a side-channel attack would require physical access, specialized equipment, hardware skills and statistical analysis of the data to derive the contents displayed based from only the display’s energy consumption. Furthermore, it claims that, even if all of those requirements were met, it would still be highly difficult to interpret the data: