Breaking Trezor wallet passphrase
A TREZOR hardware wallet is a security device that is supposed to protect you from key loggers and phishing e-mail keeping your Bitcoin safe. Various groups have been able to open the device by mitigating side channel attacks. The method worked only if the passphrase was not used. We did NOT have physical access to the device.
When making a transaction the user only enters a PIN and therefor protects the private key of the Bitcoin. The only backup is a 12/24 word mnemonic that determinate which addresses are stored on the device.
Recently, a client asked us to Brute Force their TREZOR wallet as he had forgotten the passphrase, commonly known as the 25th word.
The passphrase was designed to make sure your funds were safe in case you loose your TREZOR and someone gets hold of your 24 word mnemonic. The passphrase can be a word, a number or a string of random characters. The idea behind it is to deceive the thief to believe that once he opens your TREZOR or recovers it with the 24 words, he will only find a “fake” or low value amount of BTC. This specific client had 10 USD worth of Bitcoin stored on his TREZOR’s main wallet based on the 24 words, but the real treasure trove was a wallet hidden behind his passphrase, the value we cannot disclose.
The job was split up into two phrases (or three). But before we could start, the client wanted to meet face-to-face. As traveling to South America was out of the question as we had security presentation scheduled in Europe, the client agreed to a Skype “interview”. After 2 hours he was convinced we would not run away with his funds.
The first part was to gather information about the possible hints to the passphrase, as a 6+ characters passphrase would take forever to brute force with conventional tools. As an example, a GITHUB repo by the user gurnec has a tool called btcrecover that brute forces on average a couple of hundred passwords per second. To break a 5 character password would take two days, if you add capital letters and numbers 6 months.
This clients password consisted of more than 5 characters with both upper and lower case characters, possibly numbers and a special character, which would take approximately 2+ years to brute force with the tool.
That is if the main wallet was the first created on the TREZOR. This was not the case, the “fake” wallet was created first, there were transactions and the real wallet was created later. This meant that we were forced to search for a multiple number of wallet addresses and change addresses, that multiplies the amount of time to break the encryption. Quickly we realized this was not feasible in a lifetime.
Since this is not the first time we got a request to open a TREZOR, we decided to build a custom made tool, that uses GPU’s about a year ago. The custom tool speed was 240.000 passwords per second, an increase by 1000x compared to the gurnec github source.
CUSTOMIZING MASK ATTACK
The client gave us 5 wallet addresses that he used in the past, a list of hints, and the 24 word mnemonic. First we had to determinate if the 24 words were valid, and if the mnemonic was valid as a whole. (there are only a specific number of words being used in a mnemonic, and the last word is a checksum, where a wrong word or a wrong order does not pass the checksum).
Next, we had to choose which derivation path to search for, a TREZOR can use both LEGACY and SEGWIT addresses, their specifications can easily be distinguished by looking at the first character of the address. LEGACY starts with 1 and SEGWIT with 3. They also use different derivation paths depending on BIP version, so we had to make a specification which wallet type and what derivation path to use. SEGWIT uses m/49’/0’/0’/0 and LEGACY has several options.
We fired up our custom tool with 8 x 1080Ti Founders Edition GPU cards (they cost up to 1000USD each depending on specification and model).
At first, we searched a large space of characters and words, but the mask and algorithm was taking too long, approximately two months. We had to change tactics and decided to look at the hints from the TREZOR owner and found a pattern. The pattern used small/capital characters as the first password character. Then several lower case characters, and then a limited combinations of numbers (birth dates, months, pin codes to safe etc). Two special characters were also used, so we had to add that into account.
We modified the mask again, and BOOM, we found the password within 24 hours after the “interview”.
A quick message on Wechat, asking the client for his BTC wallet (we advised him not to use the same TREZOR again). We transferred his funds within an hour.
Lessons learned: It is possible to find a missing passphrase using customized mask attacks to a TREZOR hardware wallet, taking into account that you have appropriate software, hardware and a fair knowledge of your password hints.
This article was written by KEYCHAINX LLC’s CEO Robert Rhodin who works with Bitcoin Security, to find our more about our company please visit https://keychainx.io or send us an email to [email protected]