Saturday, 11 November 2017

‘I forgot my PIN': AN epic tale of losing $30,000 in Bitcoin

"I felt queasy. After my sixth incorrect PIN attempt, creeping dread had escalated to heart-pounding panic—I might have kissed my 7.4 bitcoins goodbye," writes Mark Frauenfelder, the director of research at the Institute of the Future's Blockchain Futures Lab, in Wired. Read on:  

The Trezor: January 4, 2016: 7.4 BTC = $3,000
In January 2016, I spent $3,000 to buy 7.4 bitcoins. At the time, it seemed an entirely worthwhile thing to do. I had recently started working as a research director at the Institute for the Future’s Blockchain Futures Lab, and I wanted firsthand experience with bitcoin, a cryptocurrency that uses a blockchain to record transactions on its network. I had no way of knowing that this transaction would lead to a white-knuckle scramble to avoid losing a small fortune.

My experiments with bitcoin were fascinating. It was surprisingly easy to buy stuff with the cryptocurrency. I used the airBitz app to buy Starbucks credit. I used Purse.io to buy a wireless security camera doorbell from Amazon. I used bitcoin at Meltdown Comics in Los Angeles to buy graphic novels.

By November, bitcoin’s value had nearly doubled since January and was continuing to increase almost daily. My cryptocurrency stash was starting to turn into some real money. I’d been keeping my bitcoin keys on a web-based wallet, but I wanted to move them to a more secure place. Many online bitcoin services retain their customers’ private bitcoin keys, which means the accounts are vulnerable to hackers and fraudsters (remember the time Mt. Gox lost 850,000 bitcoins from its customers’ accounts in 2014?) or governments (like the time BTC-e, a Russian bitcoin exchange, had its domain seized by US District Court for New Jersey in August, freezing the assets of its users).

I interviewed a handful of bitcoin experts, and they all told me that that safest way to protect your cache was to use something called a “hardware wallet.” This little device is basically a glorified USB memory stick that stores your private bitcoin keys and allows you to authorize transactions without exposing those keys to the internet, where they could be seized by bad actors. I settled on a hardware wallet called the Trezor (the Czech word for “safe”), described by the manufacturer as “bulletproof.” I bought one on November 22 for $100 on Amazon (again, via Purse.io).

When the Trezor arrived, I plugged it into my computer and went to the Trezor website to set it up. The gadget’s little monochrome screen (the size of my two thumbnails, side by side) came to life, displaying a padlock icon. The website instructed me to write down 24 words, randomly generated by the Trezor one word at a time. The words were like “aware,” “move,” “fashion,” and “bitter.” I wrote them on a piece of orange paper. Next, I was prompted to create a PIN. I wrote it down (choosing a couple of short number combinations I was familiar with and could easily recall) on the same piece of paper as the 24-word list.

The Trezor website explained that these 24 words were my recovery words and could be used to generate the master private key to my bitcoin. If I lost my Trezor or it stopped working, I could recover my bitcoin by entering those 24 words into a new Trezor or any one of the many other hardware and online wallets that use the same standard key-generation algorithm. It was important for me to keep the paper hidden and safe, because anyone could use it to steal my 7.4 bitcoins. I transferred my currency from my web-based wallet to my Trezor, tossing both the Trezor and the orange piece of paper into a desk drawer in my home office. My plan was to buy a length of flat aluminum stock and letterpunch the 24 words onto it, then store it somewhere safe. I was going to do it right after the holidays.

The Mistake: March 16, 2017: 7.4 BTC = $8,799
It was 6:30 in the morning. My 14-year-old daughter, Jane, was in London on a school trip, and my older daughter, Sarina, was at college in Colorado. My wife Carla and I were getting ready to leave for the airport to take a vacation in Tokyo. As I was rummaging through my desk drawer for a phone charger, I saw the orange piece of paper with the recovery words and PIN. What should I do with this? If our plane plowed into the ocean, I’d want my daughters to be able to get the bitcoins. The coins had already nearly tripled in value since I bought them, and I could imagine them being worth $50,000 one day. I took a pen and wrote on the paper:

Jane, if anything happens, show this paper to Cory. He’ll know what to do with it. Love, Dad
(“Cory” is Cory Doctorow, my friend and business partner at my website, Boing Boing. He’s not a bitcoin enthusiast, but I knew he’d be able to figure out how to retrieve the master private key from the word list.)

I took the paper into Jane’s bedroom, stuck it under her pillow, and we took a Lyft to LAX.

The Garbage: April 4, 2017: 7.4 BTC = $8,384
We returned from Tokyo on March 24, and I didn’t even think about the orange piece of paper until April 4, when I remembered that I’d put it under Jane’s pillow. That’s funny, I thought. She’s been home more than a week and never said anything to me about it.

I went into her room and looked under her pillow. It wasn’t there. I looked under her bed, dragging out the storage boxes to get a better view, using my phone as a flashlight.

“Carla?” I asked. “Did you see that orange piece of paper with my bitcoin password on it? I can’t find it in Jane’s room.”


“Maybe Jane put it in her desk,” she said. Jane was in school, but I texted and asked her. She said she never saw an orange piece of paper.

“Wait,” Carla said. “We had the house cleaned while we were gone. I’ll call them.”

Carla called the cleaning service we’d used and got the woman who cleaned the house on the line. She told Carla that she did indeed remember finding the orange piece of paper.

“Where is it?” Carla asked.

“I threw it away.”

I knew the garbage had already been collected, but I put on a pair of nitrile gloves and went through the outside trash and recycling bins anyway. Nothing but egg cartons, espresso grinds, and Amazon boxes. The orange piece of paper was decomposing somewhere under a pile of garbage in a Los Angeles landfill.

Carla asked if losing the paper was a big deal.

“Not really,” I said. “It’s just a hassle, that’s all. I’ll have to send all the bitcoins from the Trezor to an online wallet, reinitialize the Trezor, generate a new word list, and put the bitcoins back on the Trezor. It would only be bad if I couldn’t remember my PIN, but I know it. It’s 551445.”


The Forgetting: April 4, 2017: 7.4 BTC = $8,384
I plugged the Trezor into my laptop and entered 551445.

Wrong PIN entered.
I must have made an error entering the PIN, I thought. I tried 551445 again, taking care to enter the digits correctly this time.

Wrong PIN entered.
Uh oh. I tried a slight variation: 554445

Wrong PIN entered.
This is ridiculous, I thought. I knew the PIN. I’d entered it at least a dozen times in recent months without having to refer to the paper. OK, it’s probably 554145.

Wrong PIN entered.

I looked at the tiny monochrome display on the bitcoin wallet and noticed that a countdown timer had appeared. It was making me wait a few seconds before I could try another PIN. My heart fluttered. I went to the hardware wallet manufacturer’s website to learn about the PIN delay and read the bad news: The delay doubled every time a wrong PIN was entered. The site said, “The number of PIN entry failures is stored in the Trezor’s memory. This means that power cycling the Trezor won’t magically make the wait time go to zero again. The best you can do by turning the Trezor on and off again is make the timer start over again. The thief would have to sit his life off entering the PINs. Meanwhile, you have enough time to move your funds into a new device or wallet from the paper backup.” (Trezor is based in Prague, hence the stilted English.)

The problem was, I was the thief, trying to steal my own bitcoins back from my Trezor. I felt queasy. After my sixth incorrect PIN attempt, creeping dread had escalated to heart-pounding panic—I might have kissed my 7.4 bitcoins goodbye.

I made a few more guesses, and each time I failed, my sense of unreality grew in proportion to the PIN delay, which was now 2,048 seconds, or about 34 minutes. I opened my desktop calculator and quickly figured that I’d be dead before my 31st guess (34 years). One hundred guesses would take more than 80 sextillion years.

I broke the news to Carla. I told her I couldn’t remember the PIN and that I was being punished each time I entered an incorrect PIN. She asked me if I’d saved the PIN in my 1Password application (a secure password app). I told her I hadn’t. When she asked me why, I didn’t have an answer.

I knew it would be a mistake to waste a precious guess in my agitated condition. My mind had become polluted with scrambled permutations of PINs. I went into the kitchen to chop vegetables for a curry we were making for dinner. But I couldn’t think of much else besides the PIN. As I cut potatoes into cubes, I mentally shuffled around numbers like they were Scrabble tiles on a rack. After a while, a number popped into my head: 55144545. That was it! I walked from the kitchen to the office. The Trezor still had a few hundred seconds left on the countdown timer. I did email until it was ready for my attempt. I tapped in 55144545.

Wrong PIN entered. Please wait 4,096 seconds to continue…

I barely slept that night. The little shuteye I managed to get was filled with nightmares involving combinations of the numbers 1, 4, and 5. It wasn’t so much the $8,000 that bothered me—it was the shame I felt for being stupid enough to lose the paper and forget the PIN. I also hated the idea that the bitcoins could increase in value and I wouldn’t have access to them. If I wasn’t able to recall the PIN, the Trezor would taunt me for the rest of my life.

The Search: April 5, 2017: 7.4 BTC = $8,325
That morning, bleary eyed, I started looking into ways to get my bitcoins back that didn’t involve recalling my PIN or recovery words. If I’d lost my debit card PIN, I could contact my bank and I’d eventually regain access to my funds. Bitcoin is different. No one owns the bitcoin transaction network. Instead, thousands of computers around the world run software that validates the system’s transactions. Anyone is allowed to install the bitcoin software on their computer and participate. This decentralized nature of the bitcoin network is not without consequences—the main one being that if you screw up, it’s your own damn problem.


I went to /r/TREZOR/ on Reddit and posted:

Feel free to ridicule me—I deserve it. I wrote my PIN code and recovery seed on the same piece of paper. I was planning to etch the seed on a metal bar and hide it, but before that happened my housecleaning service threw the paper away. Now I can't remember my password and I have tried to guess it about 13 times. I now have to wait over an hour to make another guess. Very soon it will be years between guesses. Is there anything I can do or should I kiss my 7.5 bitcoins away?
Most of the replies were sympathetic and unhelpful. One person said I should get in touch with Wallet Recovery Services, which performs brute-force decryption on encrypted Bitcoin wallets. I emailed them and asked for help. “Dave Bitcoin” replied the next day:

I would like to help you ... but I do not see any solution to your problem. You need to either guess your PIN correctly, or find your seed.
A response on the Reddit forum from a user with the handle zero404cool was intriguing:

…all your information is still stored inside Trezor and there are people who know how to get all the information that is needed to get your wallet working again. I have seen it.
He added in another post:

Just keep your Trezor safe. Don't do anything with it. There is no need to try different PIN codes. You can regain possession of all your bitcoins.

The other users on the subreddit thought zero404cool wasn’t on the level. One said he might be a scammer; another accused him of spreading “FUD” (fear, uncertainty, and doubt) about Trezor’s security. I was inclined to agree with them, especially after reading about the lengths Trezor had gone to to make its device impenetrable to hackers. The manufacturer claimed with confidence that the Trezor could withstand any attempt to compromise it. The most obvious way to crack it, by installing unofficial firmware designed to unlock the PIN and keywords, would only have the effect of wiping the Trezor’s storage, the website said.

To confirm, I emailed Trezor and explained my predicament. A customer service representative emailed me back with a link to its “emergency situations guide,” none of which applied to my emergency situation. She wrote:

In all these situations there is either a PIN code or recovery seed needed to get an access to your funds. Unfortunately, without knowledge of at least one of these, no one is able to get access to this particular account with the funds stored on it. Is there anything else I can help you with, Mark?
The situation was starting to feel hopeless. In the meantime, zero404cool sent me a direct message on Reddit offering to help:

Yes, I can help you if you are willing to accept my help. Obviously, you are not going to find these instructions anywhere online. And it requires certain technical skills to complete them properly. A professional can extract all information just in 10 seconds. But this is not public knowledge, it's never going to be.

The problem is that I don't know you. I don't know if your story is real or not. I don't even know if you are a real person who really owns a Trezor. For example, You could as easily ask this to hack into someone else’s device. I can't allow that.

So, for this to work we have to gain each other’s trust I guess.

I wrote back and told zero404cool to Google my name, to help him decide if he could trust me. He’d see that I was one of the first editors of Wired, coming on board in 1993. I founded the popular Boing Boing website, which has 5 million monthly unique readers. I was the founding editor-in-chief of the technology project magazine, Make. A while later, zero404cool replied:

Hi Mark, It seems that you are not afraid of soldering and command line programs. I guess we can proceed with this recovery as DIY project then? I am somewhat busy at the moment; I hope that you are not in too much hurry to complete it?
I replied that I wasn’t in a hurry. I didn’t hear from him after that.

The Hypnotist: May 25, 2017: 7.4 BTC = $12,861
“The hypnosis allows us to open all channels, all information,” Michele Guzy said. I was in a reclining chair in her Encino office, covered in a blanket, concentrating on her soothing patter. My wife, a journalist and editor, had interviewed Michele a few years ago for an article about hypnotism in movies, and I was so desperate to recall my PIN that I made an appointment with her.

Earlier in the session, Michele had me reenact the experience of writing my PIN on an orange piece of paper. She put the paper in her desk drawer and had me sit down and open the drawer and look at the paper. She explained that we were trying different techniques to trigger the memory of the PIN.

The exercises didn’t cause anything to surface to my conscious mind, but Michele told me that we were just priming my subconscious for the upcoming hypnosis portion of my appointment. She dimmed the lights and spoke in a pleasantly whispery singsong patter. She asked me to imagine going down a long, long escalator, telling me that I would fall deeper and deeper into a trance as she spoke. The ride took at least 15 minutes. I felt relaxed—but I didn’t feel hypnotized. I figured I should just go with it, because maybe it would work anyway.

After nearly four hours in her office, I decided the PIN was 5514455.

It took me a few days to build up the nerve to try it. Every time I thought about the Trezor my blood would pound in my head, and I’d break into a sweat. When I tried the number, the Trezor told me it was wrong. I would have to wait 16,384 seconds, or about four and a half hours, until the device would let me try to guess again.

The Final Guess: August 12, 2017: 7.4 BTC = $28,749
I tried to stop thinking about bitcoin, but I couldn’t help myself. To make matters worse, its price had been climbing steeply over the summer with no end in sight. That July, the eccentric software entrepreneur John McAfee tweeted that a single bitcoin would be worth more than $500,000 in three years—“if not, I will eat my dick on national television,” he said, with typical understatement. I didn’t actually believe the price would rise that spectacularly (or that McAfee would carry out his pledge), but it fueled my anxiety.

I couldn’t escape the fact that the only thing keeping me from a small fortune was a simple number, one that I used to recall without effort and was now hidden in my brain, impervious to hypnotism, meditation, and self-scolding. I felt helpless. My daughters’ efforts to sneak up on me and say, “Quick, what’s the bitcoin password?” didn’t work. Some nights, before I went to sleep, I’d lie in bed and ask my brain to search itself for the PIN. I’d wake up with nothing. Every possible PIN I could imagine sounded no better or worse than any other. The bitcoin was growing in value, and it was getting further away from me. I imagined it as a treasure chest on a TRON-like grid, receding from view toward a dimly glowing horizon. I would die without ever finding it out.

Carla and I were folding laundry in the evening when Sarina came in. She was home from college for the summer. “I know what the bitcoin password is!” she said. “It’s 55445!”

“Why do you think that?” I asked.

“Well, you sometimes use 5054 as your password, but since the Trezor doesn’t have a zero, you would have just skipped it and put nothing there. You wouldn’t have made it 5154, you would have just used 554, and added 45 to it.” (I sometimes append my passwords with 45 because the number has a meaning to me.)

Carla looked at me and said, “Your eyes have a spark. Maybe it is the number.” I thought she might be right.

Sarina said, “If it isn’t 55445, then it’s 554455, because sometimes you add 455 at the end of your passwords.”

“That could be it,” I said. “I’ll think about it overnight and if I like it, I’ll try it tomorrow.”

In the morning, I decided that I’d try the numbers. I felt better about them than any other numbers I could think of. I plugged the Trezor in. I had to wait 16,384 seconds, or about four and a half hours, before I could enter the PIN. It was a Sunday, so I did things around the house and ran a couple of errands.

Once the Trezor was ready, I asked Carla, Sarina, and Jane to gather around my computer with me. I wanted them for moral support, to make sure I entered the PIN correctly, and to share in the celebration with me if the PIN happened to be right.

I sat in the chair while Jane, Sarina, and Carla stood around me. My heart was racing so hard that I could hear my head throb. I tried to keep my breathing under control. I entered the PIN slowly. Each time I entered a digit, I waited for one of my family members to confirm that I got it right. After entering 55445, I hovered the mouse cursor over the Enter button on the Trezor website. “Ready?” I asked. They all said OK. I clicked it.

Wrong PIN entered. Please wait 32,768 seconds to continue…
“Ah, shit,” I said.

“That’s OK, Daddy,” Sarina said. “When can we try 554455?”

I opened my calculator.

“Nine hours.”


Carla put her hand on my shoulder. “If it doesn’t work after a few more guesses, you should just break it,” she said. That seemed like the right thing to do. It would soon get to the point where I would have to keep the Trezor plugged into a powered-on computer for months (the countdown starts all over again if you unplug it), and then years and decades. The house we live in has lost power from a tripped circuit breaker, rain, or DWP maintenance at least once a year since we moved in 10 years ago. I could buy an uninterrupted power supply to keep the Trezor juiced during its years-long countdown, but I wanted this to be over, and killing the Trezor would end it.

The next morning before breakfast, I went into the office by myself and tried 554455.

Wrong PIN entered. Please wait 65,536 seconds to continue…

The Email: August 16, 2017: 7.4 BTC = $32,390
Awareness of my forgotten PIN had become something like tinnitus—always in the background, hard to ignore, annoying. What was wrong with my brain? Would I have remembered the PIN if I was in my 20s or 30s? I was feeling sorry for myself when I saw an email from Satoshi Labs, manufacturer of the Trezor, arrive in my inbox.

The subject line read, “TREZOR Firmware Security Update 1.5.2.”

The email said that the update was meant to fix “a security issue which affects all devices with firmware versions lower than 1.5.2.” It went on to say:

In order to exploit this issue, an attacker would have to break into the device, destroying the case in the process. They would also need to flash the device with a specially crafted firmware. If your device is intact, your seed is safe, and you should update your firmware to 1.5.2 as soon as possible. With firmware 1.5.2, this attack vector is eliminated and your device is safe.

Could there be a vulnerability in Trezor’s bulletproof security, one that I could take advantage of? I went to r/TREZOR to see what people were saying about it. The first thing I found was a link to a Medium post by someone who said they knew how to hack the Trezor using the exploit mentioned in the email. The post was titled “Trezor — security glitches reveal your private keys!”

The author included photos of a disassembled Trezor and a screengrab of a file dump that had 24 key words and a PIN. The author also included a link to custom Trezor firmware but no instructions on how to use it. I read the article a couple of times before I looked at the author’s name: Doshay Zero404Cool. It was the same person I’d corresponded with on Reddit five months earlier! I went to look at my old private messages with zero404cool and discovered another message from him or her a couple of months after our last contact:

Hi, have you figured out your PIN code? If not—it's such a small amount that you have locked up there. It's hardly even worth the recovery work. Even at today’s prices, maybe, just maybe, a 50%/50% split of recovered coins would do it...

I considered accepting zero404cool’s offer to help, but I decided to first reach out to a bitcoin expert I’d gotten to know over the years named Andreas M. Antonopoulos, author of The Internet of Money. I'd interviewed Andreas a few times for Boing Boing and Institute for the Future, and he was a highly respected security consultant in the bitcoin world.

He knew more about bitcoin than anyone I’d met. I emailed him on August 20 and told him how I couldn’t access the $30,000 worth of bitcoins stuck on my Trezor. I asked if the vulnerability offered a chance to get my bitcoins back. “The vulnerability described in the article is in fact real and it can be used to recover your seed, since you have not upgraded firmware to 1.5.2 (I assume), which disables this vulnerability.” I’m lucky I didn’t upgrade my Trezor to 1.5.2, because downgrading the firmware would have wiped the storage on my Trezor, permanently erasing the seed words and pin.

Andreas went on to say that he knew a teenage “coding whiz who has done amazing work on Trezor and related software.” The kid was 15 years old and his name was Saleem Rashid. He lived in the UK. Andreas had never met him, but he’d spent a lot of time hanging out with him in Slack. Satoshi Labs, maker of the Trezor, also knew about Saleem and had even given him a couple of development Trezors to experiment with. Andreas suggested we set up a private chat with Saleem on the Telegram app.

A few minutes later, Andreas introduced me to Saleem:

“Mark is the owner of a well-locked Trezor hoping for a miracle.”

Andreas outlined the plan: Saleem would initialize one of his Trezors with identical firmware as mine, practice a recovery hack on it until he perfected it, then send me the exploit program via Telegram. I would buy a second Trezor and practice installing and executing Saleem’s hack until I had it down pat. Then, as Andreas put it, I would “execute on the target device” (my original Trezor with the 7.4 bitcoins).

But before we went any further, Andreas said, “best to start by clarifying expectations and terms. For the possibility of success but also for the possibility of failure (which is higher).”

I told Saleem I wanted step-by-step video instructions on what to do. I offered 0.05 BTC ($200) up-front and an additional 0.2 BTC ($800) if I was successful in getting my bitcoins back. Saleem agreed to the terms. I added, “If you end up spending a lot of extra time preparing the instructions, let me know and we can increase the payment accordingly.”

I ordered a second Trezor on Amazon. In the meantime, Saleem told me I would need the open source operating system Ubuntu Linux. I installed it on an old MacBook Air.

The Fee: August 24, 2017: 7.4 BTC = $32,387
Saleem:
Hey Mark The video is done, but I would like to raise the price a bit for a few reasons
Making the video was absolute hell (I don't have a proper camera for this so I had to do some elaborate mounting system which took ages to set up)
I had to write the code for the exploit firmware (which I think should be factored into the price)

Me:
Fair enough

Saleem:
So, would it be possible to get 0.35 BTC for the video and the exploit firmware, then 0.5 BTC if you're successful?
For a total of 0.85 BTC
I know it's a steep increase, but I think it's a fair amount for the work I've done

Saleem wanted the equivalent of $3,700, almost four times as much as the original fee, but I figured it was worth it (and was a vastly better deal than the one zero404cool had offered me). If I could just see my PIN again—the one that Trezor, Wallet Recovery Services, Reddit users, and everyone else told me was irrecoverable—I would happily pay Saleem whatever he asked. It would be, like Andreas said, a miracle. How could I put a price on that?

Me:
Have you tested your firmware on a Trezor that's running the same firmware that I have?

Saleem:
In the video I install 1.4.0 on a TREZOR, set it up, then get the PIN wrong a few times (so it's in the same state as yours)

Me:
OK, it's a deal then.

Saleem gave me his bitcoin address and I sent him 0.35 bitcoin from an online wallet I'd set up a couple of months earlier. A minute later, he uploaded two files, one called exploit.bin, the other a 10-minute video. The video was a screen capture of his computer display, showing Linux line commands that he was entering in a terminal window. There was no sound. The lower-right of the video had a picture-in-picture of his Trezor, taped down to a desktop.

I know very little about Linux line commands, so what I was watching had little meaning. The first part of the video was just instructions for initializing the test Trezor and downgrading the firmware to version 1.4.0 so I could practice on my second Trezor. The actual instructions for installing and using the exploit firmware were on the final three minutes of the video.

I asked Saleem to explain how his hack worked. He told me that when the Trezor is powered on, its firmware (basically, the Trezor’s operating system) copies its PIN and 24 seed words into the Trezor’s SRAM (static RAM, memory that the Trezor uses to store information) in an unencrypted form. If you do what is called a “soft reset” on the device—accomplished by delicately shorting two pins on its printed circuit board—you can then install the exploit firmware without wiping the SRAM’s memory. This allows you to see your PIN and seed numbers.

My second Trezor arrived on Friday. I was eager to get started, but I had to wait until Saturday because I had to record a bunch of podcasts that afternoon. The only thing I did on Friday was cut open the practice Trezor’s case to remove its printed circuit board. I used a snap-blade knife, running it along the seam slowly and gently until I could pull the case apart. Even though it was just the practice Trezor, I was sweaty and shaky. I’d had such a terrible relationship with the Trezor over the past five months that I couldn’t think rationally about it. I was terrified that I would cut through a trace on the board. Once I got it open, I plugged it in to make sure it still powered on. It did.

The Exploit: August 26, 2017: 7.4 BTC = $32,208
I slept surprisingly well on Friday night. Carla and Sarina were out of the house. Jane was practicing ukulele and Japanese in her bedroom. I cleared off a small desk in my office, put the MacBook Air running Linux on the desk, and attached the USB cable to the practice Trezor. I taped it down on the table, like Saleem had.

I watched Saleem’s video again, this time writing down the Linux commands he’d used into a text file so I could copy and paste them into the terminal window. At one point in the video, Saleem had reset his Trezor by shorting two pins on the circuit board using a pair of tweezers and pushing the Trezor’s two buttons at the same time. The PINs were tiny, and I knew my hands would be shaking too much to use tweezers. Instead, I rigged together a couple of wires and a pushbutton to make it easy to reset the Trezor.

By following the instructions, I was successfully able to downgrade the firmware to version 1.4.0. I gave the test Trezor a PIN (2468) and wrote down the 24-word seed it generated for me. Then I installed the exploit firmware, entered about a dozen different Linux commands, pressed the buttons to soft-reset the Trezor, then entered a few more commands. It worked! The practice Trezor had been successfully cracked, and I could see the recovery keywords and PIN on the Mac’s display. I went through the process six more times, which took the entire morning and most of the afternoon. I was surprised to see that it was already 3:45 in the afternoon. The time had shot by, and I'd missed lunch and my usual afternoon espresso. I had no desire for either.

I was ready to try it on the original Trezor. I called Jane to come in and make a video recording of my one shot at getting my bitcoins back.

One thing that had made me nervous for the past few days was my uncertainty about whether I’d added a passphrase on top of my PIN, which was an additional security feature the Trezor offered. After five months of not being able to use it, I wasn’t sure if I’d set it up with one or not. Saleem and Andreas had told me that if my Trezor did have a passphrase, then it really was game over. My Trezor would be locked for good. My doubt on this point was like an icepick in my gut every time I thought about it, which was often.

I plugged in the Trezor and entered:

sudo trezorctl get_features
This caused the screen to display information about the state of the Trezor. I frantically moved my eyes around the screen until I saw the words:

passphrase_protection: false
Yes! That’s what I wanted to see. Almost nothing could stop me now.

When it came time to push the buttons on the Trezor, my fingers wouldn’t obey me. “I’m shaking so hard,” I said to Jane. I had to stop for a minute and sit back. I tried again and failed. On the third attempt I was able to press all three buttons at once. This reset the Trezor, allowing me to install exploit.bin.

I typed in the following command to load Saleem’s custom firmware onto the Trezor:

sudo trezorctl firmware_update -f exploit.bin
This command erased the existing firmware and installed Saleem’s version. The Trezor’s display said:

New firmware successfully uploaded. You may now unplug TREZOR.
This was where I absolutely should not unplug the Trezor. (I remembered a warning Andreas had given me: “Power loss during the firmware upload is catastrophic, you will lose all your data.”) Instead, I pushed the little button I’d wired to the printed circuit board to soft-reset the Trezor. Its display showed an exclamation point in a triangular icon and said:

WARNING Unofficial software detected
Thanks for the warning, I thought. This was exactly what I was trying to do: run unofficial software on this damned thing. I pressed one of the Trezor’s buttons to confirm that I wanted to proceed, and the screen said EXPLOIT, which meant Saleem’s software was on the Trezor. There was no turning back. Either this was going to work, or the Trezor would be wiped clean and my bitcoin would be gone forever, even if I happened to recall my PIN sometime in the future. Now I needed to enter a few more commands to read the contents of the Trezor’s static RAM (the part where my 24 word seed and PIN would reside, as long as the Trezor didn’t lose power).

“OK,” I told Jane as I entered a command, “this is going to tell us the seed.” I leaned over the keyboard and hit enter.

I sat back, and said quietly, “Oh my God. It worked.”

The 24 seed words I’d written on an orange piece of paper in December and lost in March had risen from the cryptographic confines of the bulletproof Trezor and were now gently glowing on the screen of my computer. I could stop here if I wanted. Those 24 words were the only thing I needed to recover my 7.4 bitcoins. I could just reinitialize the Trezor and enter the words back into it and I would be done. But there was one more thing I needed to do, and it was even more important than the money. I wanted to force the fucking Trezor to cough up my PIN.

Following Saleem’s instructions, I copied a string of text from the terminal window and added it to a Linux command Saleem had supplied. The PIN appeared instantly.

45455544

Months of soul-crushing anxiety fell away like big clods of mud that had been clinging to my shoulders. I stood up, raised my arms, and began laughing. I’d conquered the Trezor with its nerdishly cruel PIN delay function, and one-upped the part of my brain that thought it could keep a secret from its owner. Fuck the both of you, I thought. I won.



* The PIN numbers in this story have been changed to protect the author's privacy.

No comments:

Post a Comment