Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 180. (Read 966173 times)

There was some Kaspersky Lab research - they've recorded over 8.000.000 attempts of a wallet-stealing malware in 2013.
Important thing to consider in the final numbers is that Kaspersky only has around 3-5% of the antivirus software  marketshare.
Count that ratio in and what you get may be the bigger risk in absolute numbers.

Source:
https://securelist.com/analysis/kaspersky-security-bulletin/59414/financial-cyber-threats-in-2013-part-2-malware/#24

Hey, it was just free advice. 

But: the point is that relatively few criminals can physically forge or modify a Trezor, whereas any teenager could buy a real Trezor and preload it with malicious unsigned firmware that he got from his hacker buddy.  So, even if the second variant has a low probability of success (owners who ignore the warning), it may be the bigger risk in absolute numbers.

Actually it is still many degrees easier to target to tens of thousands people who simply don't care and use some webwallet. Attacking users who don't use any protection simply has better effort/reward ratio.

To perform advanced attacks like you described, you need to:
1) Get signed malicious software (highly unlikely considering security standards which we've chosen, because we're aware of this risk).
2) Distribute such software to end users and convince users to update.
3) Infect their computers to actually use that malicious firmware

In oposite, to hack into ANY OTHER wallet, you need
1) keylogger

Actually much likely hack to Trezor owner is to kidnap his wife. But if *this* is the only concern, then Trezor moves bitcoin security standard to completely another level considering current (pre-Trezor) epoch.

Good for you, but the "net fishing" class of criminals will be quite happy if even if only 5 of 100 people who got their Trezors with malicious firmware click "yes" and then enter their PIN.   They will not target you; they will aim for your grandmother and your 13-year-old cousin.

The fake Trezor (or the malicious firmware, signed or unsigned)  can be programmed to select from a small set of private keys that were pre-generated by the thief, instead of random ones.  Therefore, the criminal does not need to steal the fake Trezor back.  He does not even have to know the victims or in which country they reside.  He has only to place the fake/reprogrammed Trezors in the market stream somehow, and then watch the blockchain until some of those precomputed addresses receive enough bitcoins.

So the easiest way to get to the seed is to load satoshilabs signed seed-recovery-firmware, right? ;-)

I'm not sure it would be more difficult to hack, but since it is a widely used standard product it should be easier to verify.

Having the firmware and the keys on a smart card, or two separate smart cards, would also be nice.

The risk of having an intercepted trezor and an intercepted bios infected PC/Laptop should be about the same, so I'd say that the risk is there but infinitesimal small.

BTW: When will new ones be sold?

Criminals can replace photos on passports and forge dollar bills.  Surely can re-seal a plastic case so that it looks pristine.

You are asking for free security advice from someone who is not a security expert? 

But, whatever:

I think that it would be a bit safer if the firmware was all in ROM, so it could not be changed except by physically tampering with the device.  That may limit the useful life of the hardware, but this may be a good thing.

The case could have some intricate pattern hot-printed onto it, so that it would be harder to imitate and to re-seal after being cut.

Opening a Trezor will break the casing, as far as I know. Even if you glue it back together it would look broken (and thus suspicious).

I think we can all agree the risk is not zero.  You yourself said it is "better" than other systems.  Do you have suggestions to go along with your comments?

Making a totally fake Trezor requires milling/molding tools, custom electronics, display, etc..  Not worse than making an ATM skimmer, but not so trivial either.  On the other hand, anyone with a PC could buy a legitimate Trezor and load it with malicious firmware.

A middle ground could be replacing or piggy-backing some chip in a legitimate Trezor, so as to override the standard bootloader and/or suppress the signature checking.  That would require faking only the outer case, or cutting it open and then closing it with invisible seams.

If satoshilabs can sign legitimate firmware, a hacker or an insider with the right access could sign a malicious version too, or trick someone in the lab to sign it for him.

That compromised Trezor would not be able to provide valid signatures for payment transactions, but (like any ATM skimmer) could emulate a legitimate one well enough and long enough to trick the user into entering his PIN and passphrase.  (The account data, including balances, can be captured in the PC and used to load the fake Trezor.)

If the malicious firmware is installed before the first use, and the owner clicks 'yes' at the warning, the Trezor can provide him with an account whose private key is not generated at random but is fixed and known to the thief.  Think from there...

This last risk would not be much different in principle than the risk of the thief swapping the device during delivery for a totally fake Trezor, with malicious bootloader.  The  'soft' version would depend on a dumb user clicking 'Yes' at the warning, but on the other hand would not require mechanical skills, just the ability to re-seal the package.

Once again, signing transactions with a Trezor certainly seems safer than signing them in your PC or smartphone.  But one should not think that the risk is zero.  I don t think that it is yet the time to give one to mom for her to keep all her savings in.

I am a newbie here, but wasn't there a time when bitcoins were believed to be impossible to steal?

That said, most of attacks designed above are not related to Trezor itself. If the only attack vectors are those who including kidnapping or torturing, then we designed it well, because defending physical attacks was not in scope of Trezor project. We aimed to solution which gives bitcoins back to hands of people.

No, because those malicious firmware won't be digitally signed. We do use ECDSA, so the firmware signature uses the same strong crypto as bitcoin itself.


As said above, uploading unofficial firmware erases internal memory, so even after using compromited device and clicking "I take the risk" (I would not recommend that), nothing happen, because Trezor is completely empty.

(I though that this thread was about Trezor, not about me.)

When validating a system one MUST be paranoid.  If there is a way to break it, no matter how "unlikely", that is the way that criminals will aim for.  You cannot expect tham to be nice and only try those attacks that you have protected against.

There is nothing paranoid about fake or compromised Trezors being used to steal  passwords and PINs.

The fact that one can upload new firmware does increase the risks.  For one thing, a hacker or a rogue satoshilabs employee could get his malicious firmware signed, and then use it in many ways (besides the one I described).  I hope that you are paranoid enough to imagine some more.

Suppose that one day a client tries to use his Trezor, where he put all his BTC, and it shows "warning, firmware is unsigned,do you want to continue?" What is the probability that he will click "yes" (and then enter his passphrase when the device asks for it), rather than calling the Trezor hotline?

Here is an example of a good question followed by a very good answer.

Wait a minute.  I, for one, appreciate any and all eyes on this.  So far most of his questions have been totally reasonable, appreciated and answered.  Some of them have been redundant but that is OK.  This is billed as the safest or at least one of the safest ways to store you BTC.  So far I have not seen any holes in the system but it does not hurt to question the system - and might uncover something.

The camera looking over your shoulder stuff is, of course, over the top as that would be detrimental to any system.  But firmware upgrades do need to be questioned and all questions need to be addressed.

they're commonly known as "skimmers" in the trade ...

your "Or whaterver?" seems to be the best summary of the thrust and quality of your arguments thus far.