The bitcoin-only hardware wallet Coldcard released a beta firmware patch for a vulnerability that also affected a competing hardware wallet earlier this year.
“Bypass” vulnerability in the Bitcoin wallet
Ben Ma, a security researcher working for hardware wallet maker Shift Crypto, found that the Coldcard hardware wallet has a bug: An attacker could trick a Coldcard user into sending a real bitcoin transaction while convinced to send a transaction. "Testnet" - or a payment on the Bitcoin testing network, which is not the same as the mainnet.
Both testnet and mainnet bitcoin transactions, however, are the exact same thing, Ma writes in her post revealing the vulnerability. An attacker, therefore, could generate a bitcoin mainnet transaction for the hardware wallet but make it look like a testnet transaction.
The mainnet transaction is presented as a testnet transaction on the user's wallet, making it difficult for users to recognize the problem. But he learned of the vulnerability after a pseudonymous researcher discovered the so-called “isolation bypass” hack in Ledger's French-made hardware wallet.
Unlike Coldcard, Ledger supports many currencies, so the bypass attack could work by tricking wallet users into sending bitcoins when they intend to send litecoin and buy bitcoin cash, as well as BTC in the testnet.
After responsible communication of the problem to users, the vulnerability was resolved
When the vulnerability in the Ledger wallet was initially revealed, Coinkite founder and Coldcard creator Rodolfo Novak said, "Coldcard does not support any shitcoin, we find it to be the best route," which meant that his wallet for bitcoin would be safe since the bug (in part) stemmed from the Ledger devices handling different currencies using the same private key.
Since Coldcard doesn't support different currencies, theoretically it shouldn't have this problem. And it would have been like that, were it not for the fact that the vulnerability can also be exploited with testnet bitcoin addresses.
If a user's computer is compromised and his Coldcard device is unlocked and connected to that computer, an attacker could trick him into sending real bitcoins when he thinks about sending testnet bitcoins.
“The attacker simply has to convince the user, for example, to“ Try a testnet transaction ”or buy an ICO with testnet coins or anything that can make the user execute a testnet transaction.
After the user confirms a testnet transaction, the attacker receives the same amount of real bitcoins, ”Ma writes in the post. Considering that an attacker could perform this attack remotely, the bug met Shift Crypto's criteria for criticality, triggering the communication process responsible for the problem.
According to the post, Ma revealed the vulnerability to Coinkite on August 4 and Novak recognized it the next day. On November 23, Coldcard released beta firmware to fix the vulnerability.
