In Tuesday’s edition of The Daily, we detail the theoretical vulnerability found in the Coldcard crypto wallet, coming just one month after its manufacturer ridiculed the flaw found in other hardware wallets. Sticking with vulnerabilities, we also consider the risks of leaving your funds on an exchange in the wake of Liqui’s demise and examine how private zcash transactions really are.
Also read: Italian Court Orders Bitgrail Founder to Refund $170M of ‘Missing’ Cryptocurrency
Coldcard Subjected to Proof-of-Concept Hack
Coldcard, the hardware wallet (HW) developed by Coinkite, is vulnerable to a theoretical man in the middle attack that would enable its PIN code to be tried multiple times a second. The attack would require physical access and specialist hardware to perform, but was nevertheless deemed serious enough for Coinkite to publish a blog post encouraging users to select a long PIN code. The white hat hacker who found the exploit, Lazy Ninja, shared his findings with Coinkite, along with a video demonstrating it in action.
If you have a COLDCARDWallet you should increase your PIN to at least 6 digits and if you ever lose your wallet you should move your funds to a new seed root. I'll post some more technical details on the attack soon.
— LazyNinja ☇ (@FreedomIsntSafe) January 28, 2019
As Coinkite explains, “His approach takes between 5 and 10 seconds per PIN attempt … Although we allow very short PIN codes—even just four digits (2+2) for development—as explained in our documentation, best practice is using an eight digit PIN code (4+4), which is what we recommend.” In December, Coinkite published a blog post titled “Some Other Wallets.fail” which poked fun at other manufacturers’ devices that were exploited by
