Pages:
Author

Topic: How dangerous are hardware wallet updates? - page 2. (Read 344 times)

legendary
Activity: 994
Merit: 1089
Wheel of Whales 🐳
November 22, 2024, 12:55:59 PM
#9
How can you say this so certain?
I have read multiple cases of people who had their wallet drained after simply clicking on something that secretly allowed some small contract to spend all their coins. For this no seed phrase is needed, at least that is what they told in their stories.
When you store your seed phrase in a safe place, it does not mean you go about clicking on suspicious or random links, especially if your funds is stored in an online wallet, the only way attackers can steal your funds is if they get hold of your seed phrase, and they can either steal it physically or online. You need to have good opsec and protect your seed words everytime.
legendary
Activity: 2212
Merit: 7064
November 22, 2024, 10:02:08 AM
#8
How can you say this so certain?
No, I can't be certain what dumb people are doing with their seed words and who is having access to them.
Please be serious and stop asking questions like this in future, or you won't get any serious answers.
Stop messing with shitcoins and stupid contracts if you don't want to lose your coins.
?
Activity: -
Merit: -
November 22, 2024, 08:51:09 AM
#7
Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.
There is a difference with updating Trezor Suite software that happens more often, compared to updating Trezor device firmware.
Honestly, if you have seed words stored in safe place (offline or paper or stainless steel) you don't have to worry about anything.
I never heard of Trezor device getting bricked often (unlike some other hardware wallets), except maybe in rear cases if you run out electricity during firmware update.
To mitigate this, make sure you are doing update from your laptop if possible, and make sure you are using only official website links.
Keeping outdated firmware can be dangerous in some cases, especially if there are security flaws in older version.

How can you say this so certain?
I have read multiple cases of people who had their wallet drained after simply clicking on something that secretly allowed some small contract to spend all their coins. For this no seed phrase is needed, at least that is what they told in their stories.
legendary
Activity: 2604
Merit: 2353
November 21, 2024, 05:58:24 PM
#6
I agree but your seed can't be stolen when your device is not connected so maybe you could temporarily send your funds to another cold wallet if you have one, make your upgrade, and then you create a new wallet with a new seed on your HW wallet and send your funds back to it and then avoid to connect your HW wallet. If you need to check your fund you can look at it on a blockchain explorer or on a watch-only wallet. If the seed has been created after the last connection, it's not exposed.
legendary
Activity: 2212
Merit: 7064
November 21, 2024, 12:19:21 PM
#5
Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.
There is a difference with updating Trezor Suite software that happens more often, compared to updating Trezor device firmware.
Honestly, if you have seed words stored in safe place (offline or paper or stainless steel) you don't have to worry about anything.
I never heard of Trezor device getting bricked often (unlike some other hardware wallets), except maybe in rear cases if you run out electricity during firmware update.
To mitigate this, make sure you are doing update from your laptop if possible, and make sure you are using only official website links.
Keeping outdated firmware can be dangerous in some cases, especially if there are security flaws in older version.
member
Activity: 90
Merit: 26
November 21, 2024, 12:17:13 PM
#4
Looks like OP is concerned about scammers/thieves, not only bugs and software issues here. There is the question of whether a sophisticated attacker could insert malware into a firmware update for a hardware wallet, or client software like Trezor Suite, thus enabling them to steal huge amounts of crypto from users of the device once they install the update. The big score would be if someone found a way to get malicious firmware onto the company's servers, so that it goes out to all users who update.

This is possible in principle, though very difficult to accomplish. I've never heard of it happening but that in itself doesn't mean that it never will. An inside job, for example, is one scenario to consider. It comes down to how effective the company's security procedures are. No security system is 100% certain. Waiting as long as possible to install firmware updates can be effective for avoiding scammers as well as bugs, it's something I tend to do. Trezor's documentation pages have lots of info on how they mitigate the risks of various malicious attacks, including at software level, that may be a place to go for some info.
newbie
Activity: 26
Merit: 4
November 21, 2024, 10:43:00 AM
#3
I prefer to wait a month or two before updating my firmware, also.  I think it's important to do the updates, however since there are some security features that can be improved by doing so.  
hero member
Activity: 714
Merit: 1298
November 21, 2024, 10:32:13 AM
#2
~
I'm trying to find the wisest way how to deal with updates and would like to hear some input, thanks!

In my view it is quite good practice to not hurry up with updates as they may contain various bugs including those one with potential to turn your device into brick. Take the latest case with Passport 2 for instance. Its 2.3.2 firmware contained bug resulted in the wallet freeze at the end of update to the subsequent releases. I didn't update my device  until they found this bug and published the procedure on how to work around discovered problem. Now my Passport 2 is running on the latest  firmware after the smooth update  from 2.3.2 to 2.3.5.
?
Activity: -
Merit: -
November 21, 2024, 09:37:01 AM
#1
Hello,

Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.
I understand that the updates have advantages too, but how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?
I usually try to postpone updates for as long as possible. Is it possible to never update the Suite and still keep using it without problems, or will it be impossible and will I possibly even lose my coins if I never update?

I'm trying to find the wisest way how to deal with updates and would like to hear some input, thanks!
Pages:
Jump to: