[ESHOP launched] Trezor: Bitcoin hardware wallet - page 162.

Perlover

full member

Activity: 162

Merit: 109

Ok, i am hacker and the right seed (for easy example) is three word, but in dictionary 2048 words for one position (as trezor has):

User entered: red green blue

Hacker got:blue green red

Ok, he run process and got only these variants (B, G, R):

B G R
G B R
R G B
B R G

Here 2^2 variants (may be because 2^(3-1))

If hacker doesn't know exactly words he should make 2048^3 variants (may be 'red', may be 'cat' and so on).

Now imagine it for 12 words and for 24 words
May be there will be 2^11 variants for 12 words, not 2^12 as i wrote above.
Ok, for 24 words we will get 2^23 = 8388608 combinations
I think this combinations can be computed for 1-10 seconds. I think user will not have a time to send him bitcoins to other.

Ok, wallet32 is an Android application as BIP32 wallet. But if you use special hardware device with private keys inside only it will be very strange to setup seed at Android device phone for sending all bitcoins

If you trust to your Android phone same as Trezor, i think this topic not for you

But this hack will be made for one second if hacker will sniff 12 or 24 words.

TwinWinNerD

legendary

Activity: 1680

Merit: 1001

CEO Bitpanda.com

Quote from: Perlover on August 09, 2014, 02:23:41 PM

Hi,

please wait

Ok, MyTrezor.com asks a user (i don't know - i didn't get my trezor, i wait) to enter 12 (by default) words. May be it ask by random order directed by trezor device. But words are entered in computer! Trojan already know exectly 12 words, may be order is randomized but there may be 2^12 variants to get right order of words. Am i right?
It's BIP32 wallet so hacker doesn't need to use a Trezor device - this process can be automated. 2^12 computations can be run in computer for seconds or less one second.

I don't talk about to guess seed. I am about to guess seed if hacker knows exectly 12 words of seed which he sniffed by trojan/faked mytrezor.com site and etc.

12 words is completely insecure if the attacker has infested your computer:

Input: 12!

Result: 479001600 combinations

Just choose 24! and if you are paranoid then make a new account after recovery.

Perlover

full member

Activity: 162

Merit: 109

Hi,

please wait

Ok, MyTrezor.com asks a user (i don't know - i didn't get my trezor, i wait) to enter 12 (by default) words. May be it ask by random order directed by trezor device. But words are entered in computer! Trojan already know exectly 12 words, may be order is randomized but there may be 2^12 variants to get right order of words. Am i right?
It's BIP32 wallet so hacker doesn't need to use a Trezor device - this process can be automated. 2^12 computations can be run in computer for seconds or less one second.

I don't talk about to guess seed (where 2^128 combinations). I am about to guess seed if hacker knows exectly 12 words (one word - it's already hacker knows exactly 2^11 bits of seed part) of seed which he sniffed by trojan/faked mytrezor.com site and etc.

Carlton Banks

legendary

Activity: 3430

Merit: 3080

Why not make a small recovery utility, to be used on a cheap device (Raspberry Pi, etc) that's kept permanently offline? Or would wallet/seed recovery functions in MyTREZOR work if copied to an offline machine? I realise third party wallet software with Trezor compatibility could be used, but this may take some time to reach the main branch of those projects, or possibly never happen if the developers change their minds (however doubtful that is).

jl2012

legendary

Activity: 1792

Merit: 1111

Quote from: TwinWinNerD on August 09, 2014, 02:14:04 PM

Quote from: JorgeStolfi on August 09, 2014, 02:05:51 PM

Quote from: jl2012 on August 09, 2014, 01:46:25 PM

Quote from: JorgeStolfi on August 09, 2014, 01:45:26 PM

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

But if the new Trezor can use those words in random order, why couldn't the attacker do it too?

Please read this: https://github.com/satoshilabs/docs/blob/master/trezor-user/recovery.rst

'
I have read it but cannot see the answer.

The attack that worries the OP may be: hacker installs malicious browser/plugin in many computers and waits for one of the owners to start the recovery procedure. As the victim types the words, the malicious software sends them to the thief, and sends the wrong words to the victim's Trezor, so that his recovery will fail. Meanwhile the thief starts the legitimate recovery procedure with another Trezor, enters the words (garbled, with nulls and all), and gets access to the victim's wallet.

(A basic problem of all security systems is that, whatever one must do to get access, someone else with the right information could do the same. Including biometrics. Thus, security always depends ultimately on preventing the bad guys from getting some critical information that the good guys have somewhere.)

The TREZOR will ask you to enter the recovery seed in random order, and the order is only displayed on the trezor. You computer dosn't know what order is right.

So even if the attacker has all words, it is pretty much useless. And the entered order is different everytime you are promted to enter it!

As I read from the manual, the Trezor will also ask the user to input some random extra words, making it more secure. Still, I don't feel very comfortable to enter my private key on a network-connected computer.

TwinWinNerD

legendary

Activity: 1680

Merit: 1001

CEO Bitpanda.com

Quote from: JorgeStolfi on August 09, 2014, 02:05:51 PM

Quote from: jl2012 on August 09, 2014, 01:46:25 PM

Quote from: JorgeStolfi on August 09, 2014, 01:45:26 PM

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

But if the new Trezor can use those words in random order, why couldn't the attacker do it too?

Please read this: https://github.com/satoshilabs/docs/blob/master/trezor-user/recovery.rst

'
I have read it but cannot see the answer.

The attack that worries the OP may be: hacker installs malicious browser/plugin in many computers and waits for one of the owners to start the recovery procedure. As the victim types the words, the malicious software sends them to the thief, and sends the wrong words to the victim's Trezor, so that his recovery will fail. Meanwhile the thief starts the legitimate recovery procedure with another Trezor, enters the words (garbled, with nulls and all), and gets access to the victim's wallet.

(A basic problem of all security systems is that, whatever one must do to get access, someone else with the right information could do the same. Including biometrics. Thus, security always depends ultimately on preventing the bad guys from getting some critical information that the good guys have somewhere.)

The TREZOR will ask you to enter the recovery seed in random order, and the order is only displayed on the trezor. You computer dosn't know what order is right.

So even if the attacker has all words, it is pretty much useless. And the entered order is different everytime you are promted to enter it!

jl2012

legendary

Activity: 1792

Merit: 1111

Quote from: JorgeStolfi on August 09, 2014, 02:05:51 PM

Quote from: jl2012 on August 09, 2014, 01:46:25 PM

Quote from: JorgeStolfi on August 09, 2014, 01:45:26 PM

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

But if the new Trezor can use those words in random order, why couldn't the attacker do it too?

Please read this: https://github.com/satoshilabs/docs/blob/master/trezor-user/recovery.rst

'
I have read it but cannot see the answer.

The attack that worries the OP may be: hacker installs malicious browser/plugin in many computers and waits for one of the owners to start the recovery procedure. As the victim types the words, the malicious software sends them to the thief, and sends the wrong words to the victim's Trezor, so that his recovery will fail. Meanwhile the thief starts the legitimate recovery procedure with another Trezor, enters the words (garbled, with nulls and all), and gets access to the victim's wallet.

(A basic problem of all security systems is that, whatever one must do to get access, someone else with the right information could do the same. Including biometrics. Thus, security always depends ultimately on preventing the bad guys from getting some critical information that the good guys have somewhere.)

Only the victim and victim's Trezor knows the order of the words. The order is generated by Trezor, only shown on its screen, and never transmitted to the infected computer. The malware may make the recovery fail. However, as the malware does not know the order, it can't recover the wallet either

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: jl2012 on August 09, 2014, 01:46:25 PM

Quote from: JorgeStolfi on August 09, 2014, 01:45:26 PM

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

But if the new Trezor can use those words in random order, why couldn't the attacker do it too?

Please read this: https://github.com/satoshilabs/docs/blob/master/trezor-user/recovery.rst

'
I have read it but cannot see the answer.

The attack that worries the OP may be: hacker installs malicious browser/plugin in many computers and waits for one of the owners to start the recovery procedure. As the victim types the words, the malicious software sends them to the thief, and sends the wrong words to the victim's Trezor, so that his recovery will fail. Meanwhile the thief starts the legitimate recovery procedure with another Trezor, enters the words (garbled, with nulls and all), and gets access to the victim's wallet.

(A basic problem of all security systems is that, whatever one must do to get access, someone else with the right information could do the same. Including biometrics. Thus, security always depends ultimately on preventing the bad guys from getting some critical information that the good guys have somewhere.)

jl2012

legendary

Activity: 1792

Merit: 1111

Quote from: jl2012 on August 09, 2014, 01:45:15 PM

Quote from: chrisrico on August 09, 2014, 01:22:09 PM

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

In case you didn't catch the factorial operator, that's 6.2044840173323943936 × 10^23 combinations that an attacker has to try.

Even if they could try 1 quadrillion combinations per second, it would still take 20 years to exhaust every possibility.

Put another way, in order for an attacker to be able to find your seed within 10 minutes (during which time you should easily be able to transfer the coins to a different device), they would need to be able to try 10^21 (1 sextillion) combinations per second.

This assumes that the first 6.2044840173323943936 × 10^23 - 1 tested combinations are all incorrect, which is extremely unlikely. The probability of this happening is equal to having a correct guess in the first attempt

By the way, the manual should warn the user that after recovery the wallet is not perfectly safe and they should transfer everything to a new wallet

I think Perlover's solution is better

jl2012

legendary

Activity: 1792

Merit: 1111

Quote from: JorgeStolfi on August 09, 2014, 01:45:26 PM

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

But if the new Trezor can use those words in random order, why couldn't the attacker do it too?

Please read this: https://github.com/satoshilabs/docs/blob/master/trezor-user/recovery.rst

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

But if the new Trezor can use those words in random order, why couldn't the attacker do it too?

jl2012

legendary

Activity: 1792

Merit: 1111

Quote from: chrisrico on August 09, 2014, 01:22:09 PM

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

In case you didn't catch the factorial operator, that's 6.2044840173323943936 × 10^23 combinations that an attacker has to try.

Even if they could try 1 quadrillion combinations per second, it would still take 20 years to exhaust every possibility.

Put another way, in order for an attacker to be able to find your seed within 10 minutes (during which time you should easily be able to transfer the coins to a different device), they would need to be able to try 10^21 (1 sextillion) combinations per second.

This assumes that the first 6.2044840173323943936 × 10^23 - 1 tested combinations are all incorrect, which is extremely unlikely. The probability of this happening is equal to having a correct guess in the first attempt

chrisrico

hero member

Activity: 496

Merit: 500

Quote from: TwinWinNerD on August 09, 2014, 12:17:22 PM

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

In case you didn't catch the factorial operator, that's 6.2044840173323943936 × 10^23 combinations that an attacker has to try.

Even if they could try 1 quadrillion combinations per second, it would still take 20 years to exhaust every possibility.

Put another way, in order for an attacker to be able to find your seed within 10 minutes (during which time you should easily be able to transfer the coins to a different device), they would need to be able to try 10^21 (1 sextillion) combinations per second.

TwinWinNerD

legendary

Activity: 1680

Merit: 1001

CEO Bitpanda.com

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

jl2012

legendary

Activity: 1792

Merit: 1111

Quote from: BurtW on August 09, 2014, 11:46:03 AM

Quote from: Perlover on August 09, 2014, 11:42:59 AM

Dear BitcoinTrezor Team!

Thanks for you device! I ordered it (anywhere in a way now)
But one question please.

You use nice protected way for enetering PIN code in computer which can be infected by virus/trojan. It's keep my PIN safe from keylogger and mouselogger.
But i have read your the Trezor documentation and if i right understand your device has the one vulnerability.

If i lost my trezor, i go to your site "mytrezor.com", to connect new device to bridge and now i should enter seed words through computer.
If my computer to be infected a some trojans could catch entered words of seed and immediatly after this steal all bitcoins from BIP32 wallet.
Can this happens? As i understand you don't have same protected mode for a word entering?

As workaround of this could be present a seed not by words but by 0-2047 digits. BIP32 words presented as 2^11 digits, right?
You could be replace seed words by digits but the recover process could be use your PIN mechanism (random keyboard in trezor's screen).

What do you think?

Thanks!

If this ever happens to me here is what I would do:

Get a new Trezor and set it up from scratch with a new seed (no security problem there)
Enter my old seed into wallet32
Immediatly send all the BTC to the new Trezor

Yes, I am vulnerable for a brief time there...

Yes, so this is totally unacceptable

BurtW

legendary

Activity: 2646

Merit: 1137

All paid signature campaigns should be banned.

Quote from: Perlover on August 09, 2014, 11:42:59 AM

Dear BitcoinTrezor Team!

Thanks for you device! I ordered it (anywhere in a way now)
But one question please.

You use nice protected way for enetering PIN code in computer which can be infected by virus/trojan. It's keep my PIN safe from keylogger and mouselogger.
But i have read your the Trezor documentation and if i right understand your device has the one vulnerability.

If i lost my trezor, i go to your site "mytrezor.com", to connect new device to bridge and now i should enter seed words through computer.
If my computer to be infected a some trojans could catch entered words of seed and immediatly after this steal all bitcoins from BIP32 wallet.
Can this happens? As i understand you don't have same protected mode for a word entering?

As workaround of this could be present a seed not by words but by 0-2047 digits. BIP32 words presented as 2^11 digits, right?
You could be replace seed words by digits but the recover process could be use your PIN mechanism (random keyboard in trezor's screen).

What do you think?

Thanks!

If this ever happens to me here is what I would do:

Get a new Trezor and set it up from scratch with a new seed (no security problem there)
Enter my old seed into wallet32
Immediatly send all the BTC to the new Trezor

Yes, I am vulnerable for a brief time there...

Perlover

full member

Activity: 162

Merit: 109

Dear BitcoinTrezor Team!

Thanks for you device! I ordered it (anywhere in a way now)
But one question please.

You use nice protected way for enetering PIN code in computer which can be infected by virus/trojan. It's keep my PIN safe from keylogger and mouselogger.
But i have read your the Trezor documentation and if i right understand your device has the one vulnerability.

If i lost my trezor, i go to your site "mytrezor.com", to connect new device to bridge and now i should enter seed words through computer.
If my computer to be infected a some trojans could catch entered words of seed and immediatly after this steal all bitcoins from BIP32 wallet.
Can this happens? As i understand you don't have same protected mode for a word entering?

As workaround of this could be present a seed not by words but by 0-2047 digits. BIP32 words presented as 2^11 digits, right?
You could be replace seed words by digits but the recover process could be use your PIN mechanism (random keyboard in trezor's screen).

What do you think?

Thanks!

chrisrico

hero member

Activity: 496

Merit: 500

Quote from: carbn on August 09, 2014, 09:00:37 AM

Chromium in Ubuntu 12.04 just updated and the old plugin stopped working. I'm not switching to firefox for this, so when is the new version coming out?

You know you don't have to switch to Firefox, right? You could just use Firefox only for MyTrezor.

stick

sr. member

Activity: 441

Merit: 268

Quote from: carbn on August 09, 2014, 09:00:37 AM

Chromium in Ubuntu 12.04 just updated and the old plugin stopped working. I'm not switching to firefox for this, so when is the new version coming out?

When it's properly tested.

carbn

newbie

Activity: 3

Merit: 0

Chromium in Ubuntu 12.04 just updated and the old plugin stopped working. I'm not switching to firefox for this, so when is the new version coming out?

Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 162. (Read 966173 times)