Bitcoin hardware wallet Coldcard developers have released a beta firmware patch to address the vulnerability that affected the Ledger hardware wallet earlier this year.
Security researcher Ben Ma, who works for hardware wallet maker Shift Crypto, discovered a vulnerability in the Coldcard hardware wallet. An attacker could trick a Coldcard user into submitting a real BTC transaction when he believes he is sending a transaction on the testnet.
BTC transactions on both the test and the main network “have the same transaction representation,” Ma writes on the Shift Crypto blog. An attacker could generate a Bitcoin mainnet transaction for a hardware wallet, but make it look like a testnet transaction. This makes it difficult for users to recognize the error.
Ma became aware of the vulnerability after an anonymous researcher discovered a so-called “isolation bypass” attack on a Ledger hardware wallet. When the initial vulnerability was discovered, Coinkite founder and Coldcard creator Rodolfo Novak said:
“Coldcard does not support any ‘shitcoins’, we think this is the best way to go.”
In his opinion, a wallet containing only BTC would be safe, as the vulnerability arose in part from the fact that Ledger wallets previously allowed different coins to be managed using the same private key. Since Coldcard does not support multiple coins, in theory the wallet should not have this problem. However, the wallet can be used for transactions on the Bitcoin testnet and this opens a loophole for hackers.
If a user’s computer is compromised and their Coldcard wallet is unlocked and connected to that device, an attacker could trick them into sending BTC on the mainnet instead of a transaction on the testnet.
“The attacker simply has to convince the user to try the transaction on the testnet using any social engineering attack. After the user confirms the testnet transaction, the attacker receives the same amount of BTC from the mainnet, ”Ma writes in a blog post.
Since an attacker can execute this attack remotely, the vulnerability meets the criteria for the critical Shift Crypto issue, leading to the need for information disclosure. According to the article, Ma revealed the Coinkite vulnerability on August 4, and Novak acknowledged it the next day. On November 23rd, Coldcard released a beta firmware to address the vulnerability.
