How dangerous are hardware wallet updates?

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: Coin-Keeper on November 26, 2024, 02:26:19 PM

One thing that has not been discussed in this thread is using software with a much larger attack surface when you don't need to. Expanding the thought --- > IF you are trading or hodling Bitcoin as a user WHY would you install the generic software for all the shitcoins and stuff?

Many if not most Trezor users (at least in my case anyway) are trading are keeping BTC only. Make SURE to use Bitcoin ONLY software in your Trezors. Simple and much smaller attack surface for someone with nefarious intentions. I have to feel that the BTC only software would be easier to verify IF something went amiss. And of course on the user's end the software verifies itself during upgrade. So destruction in transit is not a thing to worry about, only the thought that a bad package was being sent by the "mothership", which is very unlikely.

I won't personally send any coins using a version of Suite until its been released for 2 weeks. An arbitrary thing I do. Strangely I don't feel this way about Electrum versions due to the simplicity of verification and the fact that the files are GPG signed by THREE advanced developers during release.

If you only use Bitcoin, the safest way to hold your bag with an HW you need to connect and upgrade regularly, is to use a multisig wallet. With a multisig wallet you don't care of any software or firmware update, since neither the provider, nor any of their hacker will be able to know the second seed/key of your wallet. For that an attacker would need to hack your second device/computer on top of your first hardware wallet. So IMO, instead of staying concerned by Trezor Suite and firmware updates you should take a little moment to set up a multisig wallet with your Trezor device.

examplens

legendary

Activity: 3514

Merit: 3585

Crypto Swap Exchange

Quote from: Pmalek on November 28, 2024, 11:33:09 AM

Quote from: ? on November 28, 2024, 09:21:34 AM

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

It doesn't really matter because it's an optional feature. If you can't find it in your settings, it means you are using an older Trezor Suite version. The next time you update it, check the settings, find the automatic update option, and check if it's ticked or not. Untick it if you don't want Trezor to install updates for you, and you are done.

I understand his concern. Almost all applications must have additional subsequent settings because many features are included by default that users would otherwise not activate independently.
The Trezor suite has also undergone many changes and additions compared to the first version, and most users do not pay attention to the fine print of additional terms.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: ? on November 28, 2024, 09:21:34 AM

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

It doesn't really matter because it's an optional feature. If you can't find it in your settings, it means you are using an older Trezor Suite version. The next time you update it, check the settings, find the automatic update option, and check if it's ticked or not. Untick it if you don't want Trezor to install updates for you, and you are done.

examplens

legendary

Activity: 3514

Merit: 3585

Crypto Swap Exchange

Quote from: ? on November 28, 2024, 09:21:34 AM

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

It came with some Trezor suite updates and was unchecked by default. And, it cannot be said that they imposed this option. Alos, I noticed it only after the next update.
There is an option to turn this feature on or off in the settings

?

Activity: -

Merit: -

Quote from: Pmalek on November 27, 2024, 11:33:43 AM

Quote from: examplens on November 26, 2024, 09:50:49 AM

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

I saw that in Trezor's release notes a few days ago. I don't like the idea of Trezor Suite automatically updating either, and luckily you can tick/untick the option to allow the software to automatically update in the settings.
That's still better than what Ledger did with Ledger Live. I am not sure since I haven't updated LL for a long time, but I believe they added automatic updates to their software as well but without giving end-users an option to disable them. Can someone who still uses Ledger Live and has an updated version confirm if this is true?

Can you tell me, is the auto-update box ticked or unticked with Trezor Suite if you didnt change anything as a user?

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: examplens on November 26, 2024, 09:50:49 AM

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

This is still only optional automatic-updates (change is available in settings), so I would not check the box, but this is just updates for Trezor app, not for Trezor device firmware, there is a big difference.
You don't even have to use Trezor Suite if you are only using Trezor device with Bitcoin, Electrum and Sparrow are working great, but they also hjave updates Wink

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: examplens on November 26, 2024, 09:50:49 AM

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

I saw that in Trezor's release notes a few days ago. I don't like the idea of Trezor Suite automatically updating either, and luckily you can tick/untick the option to allow the software to automatically update in the settings.
That's still better than what Ledger did with Ledger Live. I am not sure since I haven't updated LL for a long time, but I believe they added automatic updates to their software as well but without giving end-users an option to disable them. Can someone who still uses Ledger Live and has an updated version confirm if this is true?

Forsyth Jones

hero member

Activity: 1120

Merit: 540

Duelbits - Play for Free | Win for Real

Quote from: ? on November 21, 2024, 09:37:01 AM

Hello,

Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.
I understand that the updates have advantages too, but how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?
I usually try to postpone updates for as long as possible. Is it possible to never update the Suite and still keep using it without problems, or will it be impossible and will I possibly even lose my coins if I never update?

I'm trying to find the wisest way how to deal with updates and would like to hear some input, thanks!

What is more risky for you? Not updating or keeping it updated? New updates usually come with bug fixes, new features and security improvements. The main purpose of these firmware updates is to improve security.

One of the plausible risks would be if you download a tampered firmware file. However, in most hardware wallets, updates are made directly from the device management application. These firmware files already come with the binary signed by the manufacturer. This verification is performed before installation. Other manufacturers, such as Trezor, allow the user to manually verify the signature.

Coin-Keeper

hero member

Activity: 761

Merit: 606

One thing that has not been discussed in this thread is using software with a much larger attack surface when you don't need to. Expanding the thought --- > IF you are trading or hodling Bitcoin as a user WHY would you install the generic software for all the shitcoins and stuff?

Many if not most Trezor users (at least in my case anyway) are trading are keeping BTC only. Make SURE to use Bitcoin ONLY software in your Trezors. Simple and much smaller attack surface for someone with nefarious intentions. I have to feel that the BTC only software would be easier to verify IF something went amiss. And of course on the user's end the software verifies itself during upgrade. So destruction in transit is not a thing to worry about, only the thought that a bad package was being sent by the "mothership", which is very unlikely.

I won't personally send any coins using a version of Suite until its been released for 2 weeks. An arbitrary thing I do. Strangely I don't feel this way about Electrum versions due to the simplicity of verification and the fact that the files are GPG signed by THREE advanced developers during release.

MY .02

examplens

legendary

Activity: 3514

Merit: 3585

Crypto Swap Exchange

Quote from: DaveF on November 25, 2024, 06:56:16 AM

Some of it is due diligence. The suite says you need an update, OK fine. Go to https://github.com/trezor/trezor-suite/releases and check if they have an update listed.

The suite has recently implemented an auto-update option.
Somehow, but I don't think it's the smartest decision, because the update fails only after a few days of use. I would rather wait until a certain period of testing has passed, I think that often just a few days are enough.

?

Activity: -

Merit: -

Quote from: SFR10 on November 23, 2024, 01:38:34 PM

Quote from: ? on November 21, 2024, 09:37:01 AM

how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?

Nothing is 100% bullet-proof if it's accessible on the internet, but chances of an official source getting compromised are usually low... Regardless of that, you should ALWAYS verify the authenticity of the downloaded Trezor Suite file, before installing it: Download & verify Trezor Suite ^{[the whole process takes a minute to complete]}

This is a very good advice, thanks!

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Some of it is due diligence. The suite says you need an update, OK fine. Go to https://github.com/trezor/trezor-suite/releases and check if they have an update listed.

Always check the USL you are going to.
How may of you clicked the above link that actually just took you to the main bitcointalk page instead of where it showed.

Don't search for it, make sure that you know the proper URL of where to go.

Verify with the actual software on your PC and make sure that yes you are in the correct spot.

Most scammers go after the easy targets, i.e. those that just type trezor into a search box so they can poison the search results.
Or they post bad links.

And so on.

-Dave

Pmalek

legendary

Activity: 2730

Merit: 7065

@Meuserna
Trust always remains a factor we have to consider regardless of open or close-source. The reality is that most people have to rely on others to tell them what is safe or unsafe be it a person like you and me or first-hand info from the company.

In some other communities I visit, people don't talk that much about open vs closed-source. Ledger and Trezor remain the two most popular brands despite everything that happened. I am sure that remains the case in many other online communities.

Meuserna

full member

Activity: 128

Merit: 190

Quote from: Pmalek on November 24, 2024, 05:15:57 PM

Serious companies have release notes containing information about all changes in the update.

It's important to mention, that only works for open source code. Luckily, the OP is using a Trezor, which is open source.

Information about firmware changes is irrelevant for closed source devices like Ledger, because there's no way to prove any of what they say. Ledger's code is closed source, and they lie about... well... everything. It doesn't matter what Ledger says, since nothing they say can be trusted.

Any hardware wallet that uses closed source code cannot be trusted.

Ledger cannot be trusted.

Trezor can be trusted, but even if somebody doesn't want to trust them, no worries. Every line of Trezor's code is published online. Lots of experts read it, verify it, and use it in their own projects. That's the beauty of open source code.

Pmalek

legendary

Activity: 2730

Merit: 7065

Serious companies have release notes containing information about all changes in the update. Before you perform a software update or firmware upgrade, you can read the release notes to check if anything critical was fixed. If the update only introduces cosmetic changes, then there is no hurry. You can postpone it until a later date. If it fixed a vulnerability, and security issue, you ought to give it more priority.

If you are worried about fake software and updates, verify the signatures of your wallets before installing them. That way you will ensure that they originate from genuine developers.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

I agree that there is a risk in updating it. But there is also a risk in not updating it, as some important security updates come everytime .

As BrokenM14, the best is to wait a few months before making the firmware update .

And always keep your seed, as your hw may reset in a firmware update.

SFR10

legendary

Activity: 2968

Merit: 3406

Crypto Swap Exchange

Quote from: ? on November 21, 2024, 09:37:01 AM

how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?

Nothing is 100% bullet-proof if it's accessible on the internet, but chances of an official source getting compromised are usually low... Regardless of that, you should ALWAYS verify the authenticity of the downloaded Trezor Suite file, before installing it: Download & verify Trezor Suite ^{[the whole process takes a minute to complete]}

zabzob

member

Activity: 90

Merit: 26

Quote from: The Sceptical Chymist on November 22, 2024, 02:35:27 PM

Quote from: zabzob on November 21, 2024, 12:17:13 PM

Looks like OP is concerned about scammers/thieves, not only bugs and software issues here.

That's my impression too, but when it comes to HW wallets these days I'd be more afraid of updates installing crap like the Recover thing that Ledger rolled out than scammers pushing fake updates with malware or whatever. Also, it seems like a lot of updates (not just with HW wallets but software ones as well) bring a lot of bloat in the form of advertising, partnerships, and the like. It's like a wallet can't just be a wallet anymore but a platform for the creators to push garbage on their user base.

And yeah, I'd probably wait as long as I could before installing any updates. That's just me, though, and I'm no expert when it comes to tech so that isn't advice. The incident with Ledger really spooked me.

That's a good point, bloatware is a third issue in addition to bugs and malware. Putting adware on a hardware wallet is insane, it reduces security by increasing attack surface. It's one thing to do it on some free phone wallet like Mycelium, since they have to get paid somehow. But putting it on a hardware wallet that people pay good money for? Inexcusable. It's like showing commercials in the movie theater when you've paid for a ticket, I hate that. What hardware wallets are doing that? I haven't seen it, but I mostly only have used Trezor in the past.

Zaguru12

hero member

Activity: 868

Merit: 952

Quote from: The Sceptical Chymist on November 22, 2024, 02:35:27 PM

And yeah, I'd probably wait as long as I could before installing any updates. That's just me, though, and I'm no expert when it comes to tech so that isn't advice. The incident with Ledger really spooked me.

To me this is a perfect suggestion I have been used to this all along, I am kind of like if it’s not broken don’t fix person, not only to wallet firmware updates but to all other softwares I do not bother updating them early and I can clearly say it has saved me most of the times with new updates bugs, most of the time when new updates are released there is bugs and it is the later updates of that version that fixes it after some complaints. So yes stick to extending the time of updating the wallets, surprisingly this days the older versions are more friendly and less buggy to use than the latest ones with their stylish and sophisticated UI/UX designs

One important always to OP when updating your wallet is to make sure the seed phrase are properly backed up offline because some of these wallets sometimes clears off data and you would need to import the seed phrase again or some of them asks for it after the update

The Sceptical Chymist

legendary

Activity: 3556

Merit: 7011

Top Crypto Casino

Quote from: zabzob on November 21, 2024, 12:17:13 PM

Looks like OP is concerned about scammers/thieves, not only bugs and software issues here.

That's my impression too, but when it comes to HW wallets these days I'd be more afraid of updates installing crap like the Recover thing that Ledger rolled out than scammers pushing fake updates with malware or whatever. Also, it seems like a lot of updates (not just with HW wallets but software ones as well) bring a lot of bloat in the form of advertising, partnerships, and the like. It's like a wallet can't just be a wallet anymore but a platform for the creators to push garbage on their user base.

And yeah, I'd probably wait as long as I could before installing any updates. That's just me, though, and I'm no expert when it comes to tech so that isn't advice. The incident with Ledger really spooked me.

Z-tight

legendary

Activity: 994

Merit: 1089

Wheel of Whales 🐳

Quote from: ? on November 22, 2024, 08:51:09 AM

How can you say this so certain?
I have read multiple cases of people who had their wallet drained after simply clicking on something that secretly allowed some small contract to spend all their coins. For this no seed phrase is needed, at least that is what they told in their stories.

When you store your seed phrase in a safe place, it does not mean you go about clicking on suspicious or random links, especially if your funds is stored in an online wallet, the only way attackers can steal your funds is if they get hold of your seed phrase, and they can either steal it physically or online. You need to have good opsec and protect your seed words everytime.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: ? on November 22, 2024, 08:51:09 AM

How can you say this so certain?

No, I can't be certain what dumb people are doing with their seed words and who is having access to them.
Please be serious and stop asking questions like this in future, or you won't get any serious answers.
Stop messing with shitcoins and stupid contracts if you don't want to lose your coins.

?

Activity: -

Merit: -

Quote from: dkbit98 on November 21, 2024, 12:19:21 PM

Quote from: ? on November 21, 2024, 09:37:01 AM

Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.

There is a difference with updating Trezor Suite software that happens more often, compared to updating Trezor device firmware.
Honestly, if you have seed words stored in safe place (offline or paper or stainless steel) you don't have to worry about anything.
I never heard of Trezor device getting bricked often (unlike some other hardware wallets), except maybe in rear cases if you run out electricity during firmware update.
To mitigate this, make sure you are doing update from your laptop if possible, and make sure you are using only official website links.
Keeping outdated firmware can be dangerous in some cases, especially if there are security flaws in older version.

How can you say this so certain?
I have read multiple cases of people who had their wallet drained after simply clicking on something that secretly allowed some small contract to spend all their coins. For this no seed phrase is needed, at least that is what they told in their stories.

Saint-loup

legendary

Activity: 2604

Merit: 2353

I agree but your seed can't be stolen when your device is not connected so maybe you could temporarily send your funds to another cold wallet if you have one, make your upgrade, and then you create a new wallet with a new seed on your HW wallet and send your funds back to it and then avoid to connect your HW wallet. If you need to check your fund you can look at it on a blockchain explorer or on a watch-only wallet. If the seed has been created after the last connection, it's not exposed.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: ? on November 21, 2024, 09:37:01 AM

Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.

There is a difference with updating Trezor Suite software that happens more often, compared to updating Trezor device firmware.
Honestly, if you have seed words stored in safe place (offline or paper or stainless steel) you don't have to worry about anything.
I never heard of Trezor device getting bricked often (unlike some other hardware wallets), except maybe in rear cases if you run out electricity during firmware update.
To mitigate this, make sure you are doing update from your laptop if possible, and make sure you are using only official website links.
Keeping outdated firmware can be dangerous in some cases, especially if there are security flaws in older version.

zabzob

member

Activity: 90

Merit: 26

Looks like OP is concerned about scammers/thieves, not only bugs and software issues here. There is the question of whether a sophisticated attacker could insert malware into a firmware update for a hardware wallet, or client software like Trezor Suite, thus enabling them to steal huge amounts of crypto from users of the device once they install the update. The big score would be if someone found a way to get malicious firmware onto the company's servers, so that it goes out to all users who update.

This is possible in principle, though very difficult to accomplish. I've never heard of it happening but that in itself doesn't mean that it never will. An inside job, for example, is one scenario to consider. It comes down to how effective the company's security procedures are. No security system is 100% certain. Waiting as long as possible to install firmware updates can be effective for avoiding scammers as well as bugs, it's something I tend to do. Trezor's documentation pages have lots of info on how they mitigate the risks of various malicious attacks, including at software level, that may be a place to go for some info.

BrokenM14

newbie

Activity: 26

Merit: 4

I prefer to wait a month or two before updating my firmware, also. I think it's important to do the updates, however since there are some security features that can be improved by doing so.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: ? on November 21, 2024, 09:37:01 AM

~
I'm trying to find the wisest way how to deal with updates and would like to hear some input, thanks!

In my view it is quite good practice to not hurry up with updates as they may contain various bugs including those one with potential to turn your device into brick. Take the latest case with Passport 2 for instance. Its 2.3.2 firmware contained bug resulted in the wallet freeze at the end of update to the subsequent releases. I didn't update my device until they found this bug and published the procedure on how to work around discovered problem. Now my Passport 2 is running on the latest firmware after the smooth update from 2.3.2 to 2.3.5.

?

Activity: -

Merit: -

Hello,

Everytime I open my Trezor Suite and I am being asked to perform an update I get a bit nervous that maybe something can go wrong.
I understand that the updates have advantages too, but how big is the chance that scammers have somehow gotten a fake update into your Trezor Suite App and you accidentally install that one?
I usually try to postpone updates for as long as possible. Is it possible to never update the Suite and still keep using it without problems, or will it be impossible and will I possibly even lose my coins if I never update?

I'm trying to find the wisest way how to deal with updates and would like to hear some input, thanks!

Topic: How dangerous are hardware wallet updates? (Read 344 times)