Crypto currency units and a Swiss fintech company that specializes in establishing secure digital infrastructure for digital assets that Taurus CSO and co-founder Jean-Phillippe Aumasso’s discovered a potential vulnerability in the last popular Tron wallet tronlink.
Blockchain platform Tron has previously been accused of not taking security seriously. There were even allegations that Tron stole his whitepaper in early 2018. This time around, the alleged vulnerability is in the code of the TronLink wallet and, according to Aumasson, could not be detected.
“These are the main shortcomings that any authorized auditor in the crypto space will notice,” Aumasson said, according to news outlet Decrypt.
The mnemonic is a 12-word list that can be used to turn it into a special key that controls access to some cryptocurrencies. Aumasson claims that TronLink’s reminders are poorly encrypted. “Apparently the official Tron wallet uses AES-ECB to encrypt the 12-word reminder,” Aumasson said.
AES-ECB refers to the code used to encrypt the 12-word reminder. The reason this is a bad choice, according to Aumasson, is because ECB mode cannot successfully protect encrypted data. Aumasson says “ECB mode handles each data block independently; however, there must be some correlation between the blocks to guarantee a higher form of security, ”he said.
The ECB has long been criticized by many security researchers for being a weak form of safety. As cybersecurity firm NotSoSecure explains, “ECB is the simplest and most popular encryption mode, but it’s also pretty weak.”
Will Tron and Tron owners be affected?
The attack must be carried out locally on the victim’s own device. This is because there is no problem with the underlying blockchain network that can be accessed from anywhere. If successful, a hacker could access the victim’s Trones and send it to their address.
While Aumasson admits that this doesn’t affect all Tron owners, it does affect those who use this wallet. “It’s not a niche app that 15 people use, after all,” he added.
If Aumasson is right, Tron owners may want to seek injunctive relief. Aumasson suggested that Tron owners consider three potential options in light of these findings. “I encourage Tron owners to a) ensure that the problem is mitigated by wallet developers in the next release, b) make sure they have strong passwords, c) consider alternative wallet apps,” he said.