Then perhaps I'm naive about how all this works. But to me there's a difference between accessing keys, and accessing funds. Are these the exact keys, in the exact format, that someone could use to access the coins? For example, if someone were to "hack" my site, and get access to hashed passwords, this would be seen as a breach, and my system would be described as insecure (which is fair), and it could cause issues for people, but getting a hashed password is not the same as getting a plain text password. Are the keys they recovered from the device the equivalent of a plain text password, or a hashed password? Let's say I create a hardware wallet that stores 2 keys (123 and 456), and it uses those two keys to create a private key by doing stuff to it. So 123 and 456 create the pk 132435. Of course this is a terrible system, and not safe at all, but my point is, accessing 123 and 456, is not the same as accessing the actual pk (132435).
ryan-c|7 years ago
https://rya.nc/bitfi-wallet.html
That particular version of the code doesn't print the private key, but it can be trivially modified to do so.
We demonstrated using the salt and passphrase to extract coins from wallets without the hardware several weeks ago.