A Shift Crypto
employee successfully deployed a ransom attack on Trezor and KeepKey
hardware wallets last May. While Trezor released a fix on September 2,
KeepKey has yet to fix the issue.


According to a blog post published
on September 2, the vulnerability affected all cryptocurrencies on
affected devices. The exploit, which was first spotted on April 15 by
developers Shift Crypto, also affected KeepKey wallets — which were
originally based on a fork of Trezor’s code and likely operate on
similar foundations.


When asked about the vulnerability,
a KeepKey representative apparently commented that a fix had not yet
been developed, explaining that their developers “are working on higher
priority items first.”


The blog post’s author warned:



“A
malicious wallet or a man-in-the-middle [ransomware] modifying data
transferred via USB could send an arbitrary fake passphrase to the
Trezor / KeepKey, and hold any coins received in this wallet hostage.”



He
also added that the passphrase entered by the user could be “simply be
ignored,” in favor of a replacement passphrase, only known to the
attacker.


In May, the customer databases of Trezor, Ledger, and KeepKey were allegedly listed for sale following a substantial data breach.


The
hacker claimed to be in possession of account information corresponding
to nearly 41,500 Ledger users, over 27,100 Trezor users, and 14,000
KeepKey customers.


SatoshiLabs noted at the time that they did not believe the information to be genuine.