We appreciate organizations like Kraken Security that are on the watch for vulnerabilities that can impact the crypto world. The Kraken Security Team contacted ShapeShift with this report on September 11th, 2019. Because security is always a top priority for ShapeShift, our security team immediately investigated and found that this was an already known category of attack. On June 13, 2019, we blogged about the issue and recommended that KeepKey users enable their BIP39 passphrase.

It’s misleading to claim the device can be hacked in 15 minutes. Executing this attack requires significant preparation and expertise as well as specialized equipment, and assumes physical possession of the device.

Regardless, KeepKey owners can help prevent the attack by enabling the BIP39 passphrase on the device. Enabling this passphrase has always been the best practice for maximum security with KeepKey and similar hardware wallets.

Crypto users must be focused on security at all times, which includes awareness about protecting their physical devices. The only way to protect data on any device is to encrypt that data first. This means that no hardware wallet on the market today can keep keys safe from physical attacks unless strong encryption is used.

We wrote two articles about this issue on our blog: one on June 13th, 2019 and one on August 17th, 2019.

Kraken Security has echoed the recommendations made there:

  1. Do not allow physical access to your [device]
  2. Enable Your BIP39 Passphrase […]

We will continue to educate ShapeShift and KeepKey users about best practices — such as using a passphrase — to help protect their funds.

Our Responsible Disclosure Program

If you’re a security researcher who has found what you believe to be a bug or vulnerability in any of ShapeShift’s products or services, don’t hesitate to submit it to ShapeShift’s Security Team via our Responsible Disclosure Program.