Illustration by Kristen Radtke / The Verge
First, he forgot his PIN — then he started looking for hackers
Jan 24, 2022, 3:49pm EST
In early 2018, Dan Reich and a friend decided to spend $50,000 in Bitcoin on a batch of Theta tokens, a new cryptocurrency then worth just 21 cents apiece. At first, they held the tokens with an exchange based in China, but within weeks, a broad crackdown on cryptocurrency by the Chinese government meant they would soon lose access to the exchange, so they had to transfer everything to a hardware wallet. Reich and his friend chose a Trezor One hardware wallet, set up a PIN, and then got busy with life and forgot about it.
By the end of that year, the token had sunk to less than a quarter of its value, come back up, and then crashed again. Reich decided he wanted to cash out, but his friend had lost the paper where he’d written the PIN and couldn’t remember the digits. They tried guessing what they thought was a four-digit PIN (it was actually five), but after each failed attempt, the wallet doubled the wait time before they could guess again. After 16 guesses, the data on the wallet would automatically erase. When they reached a dozen tries, they stopped, afraid to go further.
Reich gave up and wrote off the money in his mind. He was willing to take the loss — until the price started to rise again.
From a low of around $12,000, the value of their tokens started to skyrocket. By the end of 2020, it would be worth more than $400,000, rising briefly to over $3 million. It would be hard to get into the wallet without the PIN — but it wasn’t impossible. And with potentially millions on the line, Reich and his friend vowed to find a way inside.
The only way to own cryptocurrency on the blockchain is to have sole possession of a private key associated with a block of currency — but managing those keys has been a, sometimes high-stakes, challenge from the beginning. You can’t sell or spend your currency without the key (or the string of words used to derive the key, also called the seed) — but if anyone else gets hold of it, they can grab your coins in a single anonymous transaction from anywhere in the world. You can store your key in a software wallet on an exchange service’s server or in a software wallet on your own computer or mobile phone — but those are vulnerable to remote attack if anyone on the internet is able to get your key.
Hardware wallets, the size of a USB stick, are meant to solve that problem, storing the key locally, off the internet, and signing transactions inside the secure wallet when you insert the device into a computer and enter the PIN. But if you forget the PIN and don’t have the key written down, you’re generally out of luck and can no longer access your currency on the blockchain.
This happens more often than you might think. The cryptocurrency data firm Chainalysis estimates that more than 3.7 million Bitcoins worth $66.5 billion are likely lost to owners. Currency can be lost for many reasons: the computer or phone storing a software wallet is stolen or crashes and the wallet is unrecoverable; the owner inadvertently throws their hardware wallet away; or the owner forgets their PIN or dies without passing it to family members.
As the value of their inaccessible tokens rapidly rose in 2020, Reich and his friend were desperate to crack their wallet. They searched online until they found a 2018 conference talk from three hardware experts who discovered a way to access the key in a Trezor wallet without knowing the PIN. The engineers declined to help them, but it gave Reich hope.
“We at least knew that it was possible and had some directional idea of how it could be done,” Reich says.
Then they found a financier in Switzerland who claimed he had associates in France who could crack the wallet in a lab. But there was a catch: Reich couldn’t know their names or go to the lab. He’d have to hand off his wallet to the financier in Switzerland, who would take it to his French associates. It was a crazy idea with a lot of risks, but Reich and his friend were desperate.
COVID and lockdowns slowed their plans in 2020, but in February 2021, with the value of their tokens now $2.5 million, Reich was making plans to fly to Europe, when suddenly they found a better option: a hardware hacker in the US named Joe Grand.
Grand is an electrical engineer and inventor who has been hacking hardware since he was 10. Known by the hacker handle “Kingpin,” he was part of the famed L0pht hacker collective that, in 1998, testified to the US Senate about a vulnerability that could be used to take down the internet or allow an intelligence agency to spy on traffic. In 2008, he co-hosted the Discovery Channel’s “Prototype This” show and currently teaches hardware hacking to organizations and companies that design complex systems and want to understand how hackers can attack their products.
Reich, an electrical engineer himself who owns a software company, had a better ability than most to assess if Grand had the skills to pull off the hack. After a single conversation, he knew they’d found the right person. “I remember thinking, ‘Wow, this is perhaps one of the brightest electrical engineers I’ve ever met,’” he recalls.
Grand, who has a custom lab in his family’s Portland backyard, purchased several identical wallets to the one Reich and his friend owned and installed the same version of firmware on them. Then he spent three months doing research and attacking his practice wallets with various techniques. They agreed that Reich, who lives in New Jersey, wouldn’t fly out to Portland with his wallet until Grand succeeded to crack three wallets using the same technique.
“If he screwed something up, there was a good shot that it would never be able to be recovered,” says Reich.
Luckily for Grand, there was previous research to guide him. In 2017, a 15-year-old hardware hacker in the UK named Saleem Rashid had developed a method to successfully unlock a Trezor wallet belonging to tech journalist Mark Frauenfelder and helped him free $30,000 in Bitcoin.
Rashid found that when the Trezor wallet was turned on, it made a copy of the PIN and key that was stored in the wallet’s secured flash memory and placed the copy in RAM. A vulnerability in the wallet allowed him to put the wallet into firmware update mode and install his own unauthorized code on the device, which let him read the PIN and key where it was in RAM. But the installation of his code caused the PIN and key stored in long-term flash memory to erase, leaving only the copy in RAM. This made it a risky technique for Grand to use; if he inadvertently erased the RAM before he could read the data, the key would be unrecoverable.
In any case, Trezor had altered its wallets since then so that the PIN and key that got copied to RAM during boot-up got erased from RAM when the device was put into firmware update mode.
So Grand looked instead to the method used in the 2018 conference talk that Reich had also examined previously. The researchers in this case found that despite Trezor removing the PIN and key that got copied to RAM during boot-up, the PIN and key were showing up in RAM during another stage. They found that at some point during the firmware update mode, the PIN and key were being temporarily moved to RAM — to prevent the new firmware from writing over the PIN and key — then moved back to flash once the firmware was installed. So they devised a technique dubbed “wallet.fail.” This attack used a fault-injection method — also known as glitching — to undermine security protecting the RAM and allow them to read the PIN and key when they were briefly in RAM.
There are three levels of