Kraken Security Labs has found out a way to extract seeds from the both cryptocurrency hardware wallets, the Trezor One and Trezor Model T. This is the first time when the detailed steps for a current attack against these devices has been disclosed.
The attack, based on voltage glitching to extract an encrypted seed, requires just 15 minutes of physical access to the device. The vulnerability is caused by flaws within the microcontroller used in the Trezor wallets. This means that it is necessary to redesign hardware completely to overcome the flaws.
Kraken Security Labs gives the following advice to Trezor wallet users:
Do not allow anyone physical access to your Trezor wallet. You could permanently lose your crypto
Enable Your BIP39 Passphrase with the Trezor Client. This passphrase is a bit clunky to use in practice but is not stored on the device and therefore is a protection that prevents this attack.