Inside Kraken Security Labs: Flaws Found in CoolWallet S Hardware Wallets

At Kraken Security Labs, we try to discover attacks against crypto users before the bad guys do. 

The CoolBitX CoolWallet S is a credit-card sized wallet that pairs with mobile phone applications (both Android and iOS) via Bluetooth.

We recently discovered the CoolWallet S Android application stores the wallet’s PIN, pairing password, and hardware seed in plaintext. This vulnerability means that if the phone becomes compromised, either by physical theft or with malware, the attacker can easily obtain everything they need to empty the paired hardware wallet

Your seed is functionally the same as your private key. If an attacker gets your seed, they can enter it into any other software or hardware wallet and gain total control over your funds.

Additionally, the hardware wallet is reliant on the security protections of the paired phone. If the attacker gets both your phone and wallet, they can unlock your wallet and either pair it to another phone or send funds directly from the device with the push of a button.

Other manufacturers require the input of a separate PIN on the wallet as an additional layer of security, but the CoolWallet S does not. 

Upon discovery, Kraken Security Labs responsibly disclosed the full details of this attack to the CoolWallet S team on January 2, and they have released fixes to prevent the app from disclosing the seed, pairing password and App Lock PIN. You can review the CoolWallet S team’s response at https://www.coolwallet.io/our-response-to-kraken-security-labs

Here are additional steps you can take to protect yourself:

  • Update your CoolBitX Crypto Android application
    • Verify that you are using the latest version (1.11.592 as of this writing).
  • Don’t carry or store your CoolWallet S with the paired phone 
    • The app updates do not change the fact that your wallet security ultimately depends on your phone. Follow security best practices on the paired phone, including using a strong passcode and keeping the operating system up-to-date.
  • Always generate the seed on the CoolWallet S
    • Users are presented with the option to generate a seed on their wallet or on their phone. The CoolWallet S team fixed the issues identified when you generate a seed on your phone, but we still think you should always generate the seed on your wallet.
  • Turn on App Lock and display destination addresses 
    • The application doesn’t enable these security features by default but we think they are necessary for protecting your crypto.

Technical Details

The CoolBitX CoolWallet S is a unique hardware cryptocurrency wallet that utilizes a unique credit-card form factor. It additionally features an EAL 5+ secure element for cryptocurrency.

However, despite the extensive security features and the certification level of the CoolBitX secure element, several major fundamental architectural weaknesses were identified. Despite integrating an EAL5+ certified secure element, the PIN verification cannot be performed on the hardware wallet itself. Instead, PIN verification is performed on the host, i.e. the CoolBitX mobile application.

We found several critical vulnerabilities in the Android application which trivially allow seed extraction. While these can be patched, without secure PIN entry on the device, it is only as secure as the user’s mobile phone.

Ineffective ‘App Lock’

The CoolBitX application features an optional App Lock feature that implements additional authentication for the application. This requires the user to enter a PIN to access the app. The App Lock feature does not encrypt the secret information stored by the application, and there are multiple ways to bypass this App Lock were found. 

Clear-text storage of PIN 

One way to bypass the App Lock is simply to recover the PIN used for the App Lock. The PIN is stored in clear-text in the shared-preferences of the application. An attacker with physical access to the phone or a malicious app installed on the device is thus capable of recovering the PIN.

k-blog-coolwallet-4

Contents of the XML file containing the cleartext PIN

PIN is logged to the system log

When the application is started and before the PIN is entered, the clear-text PIN is logged to the Android system log and can be retrieved in cleartext with standard Android debugging tools.

This functionality is included in Android debugging with the “logcat” command. On older Android versions, it is also possible for applications to request the READ_LOG permission, which would potentially also allow a malicious application to retrieve the lock code.

k-blog-coolwallet-5

PIN recovery by recording the screen

The app fails to set FLAG_SECURE flag during user interaction with the App Lock screen. As a result, a malicious application capable of recording the screen or taking screenshots can record the user entering the PIN.

Because button presses are highlighted on the screen as the user interacts with the UI, a screen recording would reveal a user’s PIN. The MediaProjection API, for example, provides sufficient capabilities for recording the PIN and the resulting screen-recording will contain the entered PIN.

Execute the ‘Main Activity’ directly

The app fails to prevent users from bypassing the App Lock completely. It is possible to directly execute the Main Activity in the Android App, which normally is executed after successful PIN entry. This can either be done through another (malicious app), or with the adb CLI tool:

am start -n com.coolbitx.cwsapp/com.cwsapp.view.MainActivity

Unprotected Seed 

The current CoolWallet S firmware and smartphone application support two methods of generating the seed. The first method generates the seed on the hardware wallet. Alternatively, users can choose to generate the seed in the smartphone application. 

Seed setup does not use a ‘Secure Activity’

However, the Android application does not set the FLAG_SECURE flag while executing the activity. As a result, the seed can be captured by applications that do screen-recording, or by ADB (i.e. using adb shell screencap -p /sdcard/screen.png).

‘Seed Generation’ logs seed twice to the system log

The seed is logged twice to the Android log when generating the seed on the device. This can be recovered from the adb CLI interface using logcat.

k-blog-coolwallet-6

Unprotected Pairing Password 

A Pairing Password is used for authentication between the smartphone and the CoolWallet S. The Pairing Password is an 8-digit numeric passphrase that is shared between the smartphone and CoolWallet S.

To pair a fully provisioned CoolWallet S with another smartphone, only the Pairing Password is required.

An attacker that is able to get physical access to the CoolWallet S and the Pairing Password can subsequently pair the CoolWallet S to another Smartphone and thus have access to all the funds stored on the CoolWallet S without knowing the user’s PIN.

‘Pairing Password’ not using FLAG_SECURE

The activity that shows the pairing password between the smartphone application and the wallet does not use the FLAG_SECURE flag, meaning that a malicious app can recover the pairing password through screen recording.

Pairing password is logged to the system log

The seed is logged twice to the Android log when generating the seed on the device. This can be recovered from the adb CLI interface using logcat.

k-blog-coolwallet-7

The plaintext pairing password logged to the Android log

Unprotected Secrets in Memory

Any secret data generated by the smartphone application, i.e. the seed or the PIN, are retained in memory. The smartphone application does not flush sensitive data from memory.

As a result, sensitive data can be leaked by the smartphone application to another malicious smartphone application or recovered from a rooted device.

No authentication required to sign transactions

No PIN or passphrase is required to confirm and sign transactions. To sign transactions with the CoolWallet S, it is sufficient to have access to the CoolWallet and the paired smartphone. The only form of access control is the App Lock described above. No additional authentication is required to confirm the transactions. The user simply confirms a transaction by pressing a button on the wallet.

This is particularly problematic as the vendor suggests that users can carry this CoolWallet S in their wallet with their credit cards. This implies that users of the CoolWallet S are likely to carry both the CoolWallet S and their smartphone on their person.

Full transaction details are not displayed on the wallet

Additionally, the destination address is not displayed on the wallet screen by default. When a transaction is confirmed on the CoolWallet S, only the amount and the currency are shown. This makes it impossible for a user to verify the recipient of the transaction. A “Show full address” option is available in the Settings, however it is turned off by default.

If the option is activated, the address is shown in a custom alphabet, making it both tedious and error prone to verify address. In practice, verifying the address was so tedious and difficult that transaction often timed out. Additionally, the custom alphabet is case insensitive, meaning the device cannot accurately display some address formats.

k-blog-coolwallet-9