Breaking the Vault: USB Bugs and Bug Bounty Failures
Sergei Volokitin
Hexacon 2025 · Day 1 · Main Stage
In this insightful Hexacon talk, independent security researcher Sergei Volokitin, known as Hexplot, delves into the critical vulnerabilities he uncovered in the Cypherock X1 hardware wallet, a device marketed as one of the "strongest, securest" solutions for cryptocurrency key storage. The presentation meticulously details a severe **USB buffer overflow** vulnerability that allowed an attacker to silently extract sensitive user data, including the user's PIN and the entire 24-word root secret (seed phrase), directly from the device's memory. This finding directly contradicts the vendor's core security claims that the wallet remains safe even if the connected PC is compromised.
AI review
Solid, technically grounded hardware security research from someone who clearly did the actual work. Volokitin found a real USB buffer overflow in a device making bold security claims, built a working exploit chain with no mitigations to fight through, and had the vendor's own forensic trail to prove they lied about prior knowledge. The bug bounty drama adds legitimate value as a case study in vendor malpractice. Not a world-shaking contribution to exploitation theory, but exactly the kind of rigorous, honest, proof-is-in-the-PoC research that hardware security needs more of.