Seed phrases, a random combination of words from the Bitcoin Improvement Protocol (BIP) 39 list of 2,048 words, act as one of the primary layers of security against unauthorized access to a user’s crypto holdings. But what happens when your “smart” phone’s predictive typing remembers and suggests the words next time you try to access your digital wallet?
Andre, a 33-year-old IT professional from Germany, recently posted on the r/CryptoCurrency subreddit after discovering his mobile phone’s ability to predict his entire recovery seed phrase as soon as he typed down the first word.
As a fair warning to fellow Redditors and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to drain a user’s funds just by being able to type the first word from the BIP 39 list:
“This makes it easy to attack, get your hands on a phone, start any chat app, and start typing any words off the BIP39 list, and see what the phone suggests.”
Speaking to Cointelegraph, Andre — known as u/Divinux on Reddit — shared his shock when he first experienced his phone acurally guessing the 12–24 word seed phrase. “First, I was stunned. The first couple of words could be a coincidence, right?”
As a tech-savvy individual, the German crypto investor was able to reproduce the scenario wherein his mobile phone could accurately predict the seed phrases. After realizing the possible impact of this information if it went out to the wrong hands, “I thought I should tell people about it. I’m sure there are others who also have typed seeds into their phone.”
Andre’s experiments confirmed that Google’s GBoard was the least vulnerable, as the software did not predict every word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed phrase right out of the box. The Samsung keyboard, too, can predict the words if “auto-replace” and “suggest text corrections” have been manually turned on.
Andre’s initial stint with crypto dates back to 2015 when he momentarily lost interest until he realized he could buy goods and services using Bitcoin (BTC) and other cryptocurrencies. His investment strategy involves purchasing and staking BTC and altcoins such as Terra’s LUNA, Algorand’s ALGO and Tezos’ XTZ, and “then dollar-cost averaging out into BTC when/if they moon.” The IT professional also develops his own coins and tokens as a hobby.
A safety measure against possible hacks, according to Andre, is to store significant and long-term holdings in a hardware wallet. To Redditors across the world, he advised: “Not your keys not your coins, do your own research, don’t FOMO, never invest more than you are willing to lose, always double-check the address you are sending to, always send a small amount beforehand and disable your PMs in settings,” concluding:
“Do yourself a solid and prevent that from happening by clearing your predictive type cache.”
Related: STEPN impersonators stealing users’ seed phrases, warn security experts
Blockchain security firm PeckShield recently warned the crypto community about a large number of phishing websites targeting users of the Web3 lifestyle app STEPN.
#PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or prompt you to connect your wallets or “Claim” giveaway. @Metamask @Coinbase @WalletConnect @phantom pic.twitter.com/cmWUcprMAN
— PeckShieldAlert (@PeckShieldAlert) April 25, 2022
As Cointelegraph reported, based on PechShield’s findings, hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users.
Access to seed phrase guarantees complete control over the user’s crypto funds via the STEPN dashboard.
Recently, news has spread regarding the potential security danger of text prediction on smartphones. As companies attempt to optimize the user experience on their devices, they have implemented automatic text prediction software to make typing faster and easier. Unfortunately, this software may lead to exposing a user’s sensitive data.
Specifically, in the cryptocurrency space, it is known that a crypto hodler’s seed phrase is one of the most important pieces of data. It is used to access digital assets stored in a wallet, and should remain secure at all times. However, a report from researcher Harry Denley indicates that text prediction guesses on a smartphone can be used to access the seed phrase.
The official statement from the researcher reads: “If you use the text prediction feature on your phone and you enter your seed phrase, if the seed phrase contains words that are used regularly in the language, the text predictor may autocomplete your seed phrase.”
Essentially, this means that a user’s seed phrase could be easily guessed and obtained if their phone’s text prediction software is enabled. The risk is even greater for those who use weak passwords or use words commonly found in a dictionary. The only way to ensure that the seed phrase is kept secure is to disable the text prediction feature or enter the seed phrase manually.
If you are a crypto hodler, it is highly recommended that you take steps to protect your seed phrase from any potential security risks. To be extra safe, you should also consider using a two-factor authentication protocol when possible. This provides an added layer of security, further protecting your cryptocurrency assets.
In conclusion, it is important to keep your crypto assets secure, and that means being aware of the potential security risks posed by text prediction on smartphones. Enable two-factor authentication when possible and make sure to use strong passwords and enter your seed phrase manually. Only by safeguarding your seed phrase can you ensure that your cryptocurrency investments remain secure.
