Latest News

OneKey says it has fixed flaw that got its hardware wallet hacked in 1 second

Unciphered showed a OneKey Mini “Massive critical vulnerability” in a video. The creators say they patched it and are now securing the wallet.

OneKey, a crypto hardware wallet provider, says it has fixed a firmware vulnerability that allowed a hardware wallet to be hacked in one second.

Cybersecurity startup Unciphered posted a YouTube video on Feb. 10 showing how they exploited a “Massive critical vulnerability” to “crack open” a OneKey Mini.

Eric Michaud, a partner at Unciphered, said that by disassembling the device and inserting coding, a potential attacker could return the OneKey Mini to “factory mode” and bypass the security pin, removing the mnemonic phrase used to recover a wallet.

“CPU and secure element.” The secure element stores crypto keys. “Normally, the CPU, where processing is done, and the secure element communicate encryptedly,” Michaud said.

It wasn’t engineered to do so in this case. “So what you could do is put a tool in the middle that monitors and intercepts communications and injects their own commands,” he said, adding:

“We did that where it then tells the secure element it’s in factory mode and we can take your mnemonics out, which is your money in crypto.”

OneKey stated on Feb. 10 that its hardware team had updated the security patch “earlier this year” without “anyone being affected” and that “All disclosed vulnerabilities have been or are being fixed.”

Unciphered’s physical attacks won’t affect OneKey users with password phrases and basic security.

“While the vulnerability is concerning, the attack vector identified by Unciphered cannot be used remotely and requires “disassembly of the device and physical access through a dedicated FPGA device in the lab to be possible to execute,” the company said.

OneKey told Unciphered that other wallets have similar issues.

OneKey also gave Unciphered bounties for their security contributions.

OneKey has taken steps to protect its users from supply chain attacks, in which hackers replace a genuine wallet with one they control, in its blog post.

OneKey uses Apple supply chain service providers and tamper-proof packaging to secure its supply chain.

They want to implement onboard authentication and upgrade newer hardware wallets with better security.

Hardware wallets have always protected users’ money from malware, computer viruses, and other remote threats, but OneKey wrote that nothing is 100% secure.

“When we look at the entire hardware wallet manufacturing process, from silicon crystals to chip code, firmware to software, it’s safe to say that with enough money, time, and resources, any hardware barrier can be breached, even a nuclear weapon control system.”



Crypto products and NFTs are unregulated and can be highly risky. There may be no regulatory recourse for any loss from such transactions. Crypto is not a legal tender and is subject to market risks. Readers are advised to seek expert advice and read offer document(s) along with related important literature on the subject carefully before making any kind of investment whatsoever. Crypto market predictions are speculative and any investment made shall be at the sole cost and risk of the readers.