Redditor Issues Warning After Phone’s Predictive Text Guessed His Seed Phrase

An IT professional from Germany has warned fellow Reddit users after discovering that his mobile phone’s predictive text feature enabled it to correctly predict his entire recovery seed phrase after typing in the first word.

Guessing Seed Phrases: Impossible?

Seed phrases, a random selection of 2048 words originating from Bitcoin Enhancement Protocol (BIP) 39, enable users to back up or recover access to their crypto holdings. The prospect of correctly guessing the correct 12- or 24-word seed phrase is virtually impossible, even with quantum computing. To give a sense of how low the probability is, one Reddit user ran the numbers.

Imagine then the surprise of Andre, also known as u/Divinux on Reddit, when he noticed that his phone accurately guessed the 12–24 word seed phrase, in the right order. “First, I was stunned. The first couple of words could be a coincidence, right?” he said, adding:

This makes it simple to assault, get your fingers on a telephone, begin any chat app, and begin typing any phrases off the BIP39 record, and see what the telephone suggests.

Advertisement

u/Divinux on Reddit

However, being IT literate and recognising the risk, he decided it would be best to put word out to the community.

Different Keyboards, Different Results

To properly assess the risk, Andre decided to evaluate how a range of different keyboards performed. His findings revealed that Google’s GBoard was the least vulnerable, since it did not predict every word in the correct order. However, both Microsoft and Samsung’s keyboards were able to predict the seed phrase word-for-word by default.

He then proceeded to issue a warning to fellow crypto enthusiasts:

Not your keys not your coins, do your own research, don’t FOMO, never invest more than you are willing to lose, always double-check the address you are sending to, always send a small amount beforehand and disable your PMs in settings.

u/Divinux on Reddit

Perhaps more pertinently, he concluded that users should “do [themselves] a solid [favour] and prevent that [predictive text guessing the seed phrase] from happening by clearing [their] predictive type cache”. Others however, such as u/babaossa77, thought even that didn’t go far enough: “If you typed your seed phrase into your mobile phone I’d already consider that seed as unsafe and wouldn’t use it for any bigger funds, even after clearing the cache.”

Just two weeks ago, MetaMask issued a phishing attack notice to its users, suggesting that when it comes to security, it’s ultimately a matter of degree since one can never be truly immune to the risk of a breach.