March 9, 2018
On February 9, 2018, researchers Dusha Igor and Andrey Lovyannikov of ASP Labs responsibly disclosed a format string attack vulnerability on KeepKey devices. The KeepKey development team immediately responded to the disclosure and patched the vulnerable code. A mandatory firmware update was made available to all devices on February 21, 2018, that eliminated this vulnerability and implemented additional fixes to further prevent this or any similar threats.
The hypothetical attack works by sending specially formatted strings to the device that could potentially be used to execute exploit code and/or retrieve sensitive data from the device. This is done by injecting special formatting characters into specific messages that can force the device to display data that is normally inaccessible. To our knowledge, no KeepKey user was hacked due to this vulnerability and no exploit has been developed.
Two additional patches were recognized and added by the development team, one to address the ability of a malicious actor to crash the device with a specially formatted string, and the other to fix a bug that prevented an existing security hardening mechanism from working correctly.
The First Patch: The first patch protects devices from crashing if a displayed message contains characters that are missing from the device’s font.
The Second Patch: This other patch fixes a bug in the random number generator initialization that prevented stack hardening protection from properly functioning.
As with all security updates, we also protect against downgrade attacks by forcing the device to wipe its private keys in the event that an older firmware is loaded. Collectively, these fixes harden the security of all KeepKey devices.
Our entire team would like to thank the researchers from ASP Labs, Dusha Igor and Andrey Lovyannikov, for responsibly disclosing this information. Both were rewarded with a considerable bounty for providing the information.
If you have any questions about these vulnerabilities and their respective fixes, please contact our support team.
If you have security information to disclose, please contact firstname.lastname@example.org
The KeepKey Team