How dangerous are hardware wallet updates?

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: Coin-Keeper on November 26, 2024, 02:26:19 PM

One thing that has not been discussed in this thread is using software with a much larger attack surface when you don't need to. Expanding the thought --- > IF you are trading or hodling Bitcoin as a user WHY would you install the generic software for all the shitcoins and stuff?

Many if not most Trezor users (at least in my case anyway) are trading are keeping BTC only. Make SURE to use Bitcoin ONLY software in your Trezors. Simple and much smaller attack surface for someone with nefarious intentions. I have to feel that the BTC only software would be easier to verify IF something went amiss. And of course on the user's end the software verifies itself during upgrade. So destruction in transit is not a thing to worry about, only the thought that a bad package was being sent by the "mothership", which is very unlikely.

I won't personally send any coins using a version of Suite until its been released for 2 weeks. An arbitrary thing I do. Strangely I don't feel this way about Electrum versions due to the simplicity of verification and the fact that the files are GPG signed by THREE advanced developers during release.

If you only use Bitcoin, the safest way to hold your bag with an HW you need to connect and upgrade regularly, is to use a multisig wallet. With a multisig wallet you don't care of any software or firmware update, since neither the provider, nor any of their hacker will be able to know the second seed/key of your wallet. For that an attacker would need to hack your second device/computer on top of your first hardware wallet. So IMO, instead of staying concerned by Trezor Suite and firmware updates you should take a little moment to set up a multisig wallet with your Trezor device.

examplens

legendary

Activity: 3514

Merit: 3585

Crypto Swap Exchange

Quote from: Pmalek on November 28, 2024, 11:33:09 AM

Quote from: ? on November 28, 2024, 09:21:34 AM

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

It doesn't really matter because it's an optional feature. If you can't find it in your settings, it means you are using an older Trezor Suite version. The next time you update it, check the settings, find the automatic update option, and check if it's ticked or not. Untick it if you don't want Trezor to install updates for you, and you are done.

I understand his concern. Almost all applications must have additional subsequent settings because many features are included by default that users would otherwise not activate independently.
The Trezor suite has also undergone many changes and additions compared to the first version, and most users do not pay attention to the fine print of additional terms.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: ? on November 28, 2024, 09:21:34 AM

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

It doesn't really matter because it's an optional feature. If you can't find it in your settings, it means you are using an older Trezor Suite version. The next time you update it, check the settings, find the automatic update option, and check if it's ticked or not. Untick it if you don't want Trezor to install updates for you, and you are done.

examplens

legendary

Activity: 3514

Merit: 3585

Crypto Swap Exchange

Quote from: ? on November 28, 2024, 09:21:34 AM

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

It came with some Trezor suite updates and was unchecked by default. And, it cannot be said that they imposed this option. Alos, I noticed it only after the next update.
There is an option to turn this feature on or off in the settings

?

Activity: -

Merit: -

Quote from: Pmalek on November 27, 2024, 11:33:43 AM

Quote from: examplens on November 26, 2024, 09:50:49 AM

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

I saw that in Trezor's release notes a few days ago. I don't like the idea of Trezor Suite automatically updating either, and luckily you can tick/untick the option to allow the software to automatically update in the settings.
That's still better than what Ledger did with Ledger Live. I am not sure since I haven't updated LL for a long time, but I believe they added automatic updates to their software as well but without giving end-users an option to disable them. Can someone who still uses Ledger Live and has an updated version confirm if this is true?

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: examplens on November 26, 2024, 09:50:49 AM

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

This is still only optional automatic-updates (change is available in settings), so I would not check the box, but this is just updates for Trezor app, not for Trezor device firmware, there is a big difference.
You don't even have to use Trezor Suite if you are only using Trezor device with Bitcoin, Electrum and Sparrow are working great, but they also hjave updates Wink

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: examplens on November 26, 2024, 09:50:49 AM

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

I saw that in Trezor's release notes a few days ago. I don't like the idea of Trezor Suite automatically updating either, and luckily you can tick/untick the option to allow the software to automatically update in the settings.
That's still better than what Ledger did with Ledger Live. I am not sure since I haven't updated LL for a long time, but I believe they added automatic updates to their software as well but without giving end-users an option to disable them. Can someone who still uses Ledger Live and has an updated version confirm if this is true?

Forsyth Jones

hero member

Activity: 1120

Merit: 540

Duelbits - Play for Free | Win for Real

Quote from: ? on November 21, 2024, 09:37:01 AM

Hello,

Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.
I understand that the updates have advantages too, but how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?
I usually try to postpone updates for as long as possible. Is it possible to never update the Suite and still keep using it without problems, or will it be impossible and will I possibly even lose my coins if I never update?

I'm trying to find the wisest way how to deal with updates and would like to hear some input, thanks!

What is more risky for you? Not updating or keeping it updated? New updates usually come with bug fixes, new features and security improvements. The main purpose of these firmware updates is to improve security.

One of the plausible risks would be if you download a tampered firmware file. However, in most hardware wallets, updates are made directly from the device management application. These firmware files already come with the binary signed by the manufacturer. This verification is performed before installation. Other manufacturers, such as Trezor, allow the user to manually verify the signature.

Coin-Keeper

hero member

Activity: 761

Merit: 606

One thing that has not been discussed in this thread is using software with a much larger attack surface when you don't need to. Expanding the thought --- > IF you are trading or hodling Bitcoin as a user WHY would you install the generic software for all the shitcoins and stuff?

Many if not most Trezor users (at least in my case anyway) are trading are keeping BTC only. Make SURE to use Bitcoin ONLY software in your Trezors. Simple and much smaller attack surface for someone with nefarious intentions. I have to feel that the BTC only software would be easier to verify IF something went amiss. And of course on the user's end the software verifies itself during upgrade. So destruction in transit is not a thing to worry about, only the thought that a bad package was being sent by the "mothership", which is very unlikely.

I won't personally send any coins using a version of Suite until its been released for 2 weeks. An arbitrary thing I do. Strangely I don't feel this way about Electrum versions due to the simplicity of verification and the fact that the files are GPG signed by THREE advanced developers during release.

MY .02

examplens

legendary

Activity: 3514

Merit: 3585

Crypto Swap Exchange

Quote from: DaveF on November 25, 2024, 06:56:16 AM

Some of it is due diligence. The suite says you need an update, OK fine. Go to https://github.com/trezor/trezor-suite/releases and check if they have an update listed.

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

?

Activity: -

Merit: -

Quote from: SFR10 on November 23, 2024, 01:38:34 PM

Quote from: ? on November 21, 2024, 09:37:01 AM

how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?

Nothing is 100% bullet-proof if it's accessible on the internet, but chances of an official source getting compromised are usually low... Regardless of that, you should ALWAYS verify the authenticity of the downloaded Trezor Suite file, before installing it: Download & verify Trezor Suite ^{[the whole process takes a minute to complete]}

This is a very good advice, thanks!

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Some of it is due diligence. The suite says you need an update, OK fine. Go to https://github.com/trezor/trezor-suite/releases and check if they have an update listed.

Always check the USL you are going to.
How may of you clicked the above link that actually just took you to the main bitcointalk page instead of where it showed.

Don't search for it, make sure that you know the proper URL of where to go.

Verify with the actual software on your PC and make sure that yes you are in the correct spot.

Most scammers go after the easy targets, i.e. those that just type trezor into a search box so they can poison the search results.
Or they post bad links.

And so on.

-Dave

Pmalek

legendary

Activity: 2730

Merit: 7065

@Meuserna
Trust always remains a factor we have to consider regardless of open or close-source. The reality is that most people have to rely on others to tell them what is safe or unsafe be it a person like you and me or first-hand info from the company.

In some other communities I visit, people don't talk that much about open vs closed-source. Ledger and Trezor remain the two most popular brands despite everything that happened. I am sure that remains the case in many other online communities.

Meuserna

full member

Activity: 128

Merit: 190

Quote from: Pmalek on November 24, 2024, 05:15:57 PM

Serious companies have release notes containing information about all changes in the update.

It's important to mention, that only works for open source code. Luckily, the OP is using a Trezor, which is open source.

Information about firmware changes is irrelevant for closed source devices like Ledger, because there's no way to prove any of what they say. Ledger's code is closed source, and they lie about... well... everything. It doesn't matter what Ledger says, since nothing they say can be trusted.

Any hardware wallet that uses closed source code cannot be trusted.

Ledger cannot be trusted.

Trezor can be trusted, but even if somebody doesn't want to trust them, no worries. Every line of Trezor's code is published online. Lots of experts read it, verify it, and use it in their own projects. That's the beauty of open source code.

Pmalek

legendary

Activity: 2730

Merit: 7065

Serious companies have release notes containing information about all changes in the update. Before you perform a software update or firmware upgrade, you can read the release notes to check if anything critical was fixed. If the update only introduces cosmetic changes, then there is no hurry. You can postpone it until a later date. If it fixed a vulnerability, and security issue, you ought to give it more priority.

If you are worried about fake software and updates, verify the signatures of your wallets before installing them. That way you will ensure that they originate from genuine developers.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

I agree that there is a risk in updating it. But there is also a risk in not updating it, as some important security updates come everytime .

As BrokenM14, the best is to wait a few months before making the firmware update .

And always keep your seed, as your hw may reset in a firmware update.

SFR10

legendary

Activity: 2968

Merit: 3406

Crypto Swap Exchange

Quote from: ? on November 21, 2024, 09:37:01 AM

how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?

Nothing is 100% bullet-proof if it's accessible on the internet, but chances of an official source getting compromised are usually low... Regardless of that, you should ALWAYS verify the authenticity of the downloaded Trezor Suite file, before installing it: Download & verify Trezor Suite ^{[the whole process takes a minute to complete]}

zabzob

member

Activity: 90

Merit: 26

Quote from: The Sceptical Chymist on November 22, 2024, 02:35:27 PM

Quote from: zabzob on November 21, 2024, 12:17:13 PM

Looks like OP is concerned about scammers/thieves, not only bugs and software issues here.

That's my impression too, but when it comes to HW wallets these days I'd be more afraid of updates installing crap like the Recover thing that Ledger rolled out than scammers pushing fake updates with malware or whatever. Also, it seems like a lot of updates (not just with HW wallets but software ones as well) bring a lot of bloat in the form of advertising, partnerships, and the like. It's like a wallet can't just be a wallet anymore but a platform for the creators to push garbage on their user base.

And yeah, I'd probably wait as long as I could before installing any updates. That's just me, though, and I'm no expert when it comes to tech so that isn't advice. The incident with Ledger really spooked me.

That's a good point, bloatware is a third issue in addition to bugs and malware. Putting adware on a hardware wallet is insane, it reduces security by increasing attack surface. It's one thing to do it on some free phone wallet like Mycelium, since they have to get paid somehow. But putting it on a hardware wallet that people pay good money for? Inexcusable. It's like showing commercials in the movie theater when you've paid for a ticket, I hate that. What hardware wallets are doing that? I haven't seen it, but I mostly only have used Trezor in the past.

Zaguru12

hero member

Activity: 868

Merit: 952

Quote from: The Sceptical Chymist on November 22, 2024, 02:35:27 PM

And yeah, I'd probably wait as long as I could before installing any updates. That's just me, though, and I'm no expert when it comes to tech so that isn't advice. The incident with Ledger really spooked me.

To me this is a perfect suggestion I have been used to this all along, I am kind of like if it’s not broken don’t fix person, not only to wallet firmware updates but to all other softwares I do not bother updating them early and I can clearly say it has saved me most of the times with new updates bugs, most of the time when new updates are released there is bugs and it is the later updates of that version that fixes it after some complaints. So yes stick to extending the time of updating the wallets, surprisingly this days the older versions are more friendly and less buggy to use than the latest ones with their stylish and sophisticated UI/UX designs

One important always to OP when updating your wallet is to make sure the seed phrase are properly backed up offline because some of these wallets sometimes clears off data and you would need to import the seed phrase again or some of them asks for it after the update

The Sceptical Chymist

legendary

Activity: 3556

Merit: 7011

Top Crypto Casino

Quote from: zabzob on November 21, 2024, 12:17:13 PM

Looks like OP is concerned about scammers/thieves, not only bugs and software issues here.

That's my impression too, but when it comes to HW wallets these days I'd be more afraid of updates installing crap like the Recover thing that Ledger rolled out than scammers pushing fake updates with malware or whatever. Also, it seems like a lot of updates (not just with HW wallets but software ones as well) bring a lot of bloat in the form of advertising, partnerships, and the like. It's like a wallet can't just be a wallet anymore but a platform for the creators to push garbage on their user base.

And yeah, I'd probably wait as long as I could before installing any updates. That's just me, though, and I'm no expert when it comes to tech so that isn't advice. The incident with Ledger really spooked me.

Topic: How dangerous are hardware wallet updates? (Read 344 times)