How to prevent if The Trezor release new firmware update to steal Bitcoin

dkbit98

legendary

Activity: 2212

Merit: 7064

Cashback 15%

Quote from: erictan90 on February 22, 2022, 03:01:55 AM

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Confiscating trezor or any other hardware wallet is not needed if they find (or you give them) your seed words backup.
You can somehow improve safety of your funds by adding multiple passphrases and creating fake decoy account with smaller amount of bitcoins.
Multisig with other hardware or software wallets could also be one of the options but it adds extra layer of complexity and it's meant for storing larger amount of coins.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: erictan90 on February 22, 2022, 03:01:55 AM

They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Both your Trezors would rely on the same code and software. If you are using the same seed on both, the one where you installed that malicious update would cause you to lose everything. Alternatively, you could have two different wallets protected by different seeds in each of your Trezors. Or two different passphrased wallets.

In theory. If any open-source client releases a backdoored and malicious update, and the vulnerability is not checked or discovered by anyone in the updated code, it can lead to the loss of funds for those who installed the new update. But with hardware wallets, you are forgetting that you have to physically approve the transaction by pressing the correct buttons on the gadget. The malicious code could be written to reveal your seed maybe or have you generate pre-generated addresses that belong to scammers when you want to send a new transaction.

erictan90

newbie

Activity: 22

Merit: 7

Thanks for all the replies. Really appreciate it. 👍🏻

ABCbits

legendary

Activity: 2856

Merit: 7410

Crypto Swap Exchange

Quote from: erictan90 on February 22, 2022, 04:39:52 AM

yup, I guess we should use 2 Trezor, 1 for testing if the new update is good when every new update is released.🤔

If you worry that much, but willing to spend money/time for testing, then Trezor isn't best option for you. You better use airgapped computer where you choose OS/software you could trust and use QR code as medium to transfer unsigned/signed transaction.

Otherwise, i would repeat what @jackg said about basic security awareness/research from user side.

examplens

legendary

Activity: 3248

Merit: 3098

Quote from: ABCbits on February 22, 2022, 07:58:41 AM

Otherwise, i would repeat what @jackg said about basic security awareness/research from user side.

I agree here.
Waiting a few days to pass the first tests is always a good solution. I do that almost always because it is not uncommon to make another new one with additional improvements, almost immediately after the new version.
I gained that experience in working with the administration of Windows, the new update often caused me unexpected problems.
for Trezor I don't even remember which the last update was mandatory and without it it could not function

witcher_sense

legendary

Activity: 2310

Merit: 4313

🔐BitcoinMessage.Tools🔑

Quote from: erictan90 on February 22, 2022, 03:01:55 AM

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

In order to prevent being hacked by a Trezor team, you should behave the same way you behave while interacting with the bitcoin network, which is you don't trust what you see, instead you run your own open-source software and maintain your own copy of transactions history to verify everything by yourself before accepting. If you're concerned about the credibility of Trezor, don't run their software, use other open-source alternatives. Don't trust the firmware they are forcing you to install. Either verify it and reproduce from source code or never update your device. Once you bought your hardware wallet, you have become an owner of an autonomous, independent device the security of which shouldn't necessarily be maintained or rely on the company that produced it.

erictan90

newbie

Activity: 22

Merit: 7

Quote from: m2017 on February 22, 2022, 04:24:24 AM

Quote from: OmegaStarScream on February 22, 2022, 03:04:00 AM

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

I've always been curious to know how often the source code is checked? When does a new release come out? Who is doing this? How many people check the source code? How much can they be trusted?

Sorry for so many questions. I wanted to know, at least superficially, how this is implemented.

Quote from: erictan90 on February 22, 2022, 03:01:55 AM

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

It seems to me that if this is implemented, it will be done differently. The regulator will create conditions under which people themselves will be forced to give their bitcoins or part of it in the form of taxes.

yup, I guess we should use 2 Trezor, 1 for testing if the new update is good when every new update is released.🤔

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: erictan90 on February 22, 2022, 04:27:13 AM

I mean user don't noticed that Trezor is captured and they voluntarily update it.

I think there's a slight obligation by the user to do a small amount of research before updating (or waiting a few days without installing and update or using the device) to see if anything is unusual. Completely updating to a new UI you're unfamiliar with can be problematic too for example.

erictan90

newbie

Activity: 22

Merit: 7

Quote from: jackg on February 22, 2022, 04:04:49 AM

Also I don't think trezor can force people to update their firmware if they don't want to. I guess they could make it incompatible but since there are other drivers that can be used and it's open source, that makes things a lot harder for them to succeed in an attack.

I mean user don't noticed that Trezor is captured and they voluntarily update it.

m2017

legendary

Activity: 1792

Merit: 1296

keep walking, Johnnie

Quote from: OmegaStarScream on February 22, 2022, 03:04:00 AM

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

I've always been curious to know how often the source code is checked? When does a new release come out? Who is doing this? How many people check the source code? How much can they be trusted?

Sorry for so many questions. I wanted to know, at least superficially, how this is implemented.

Quote from: erictan90 on February 22, 2022, 03:01:55 AM

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

It seems to me that if this is implemented, it will be done differently. The regulator will create conditions under which people themselves will be forced to give their bitcoins or part of it in the form of taxes.

erictan90

newbie

Activity: 22

Merit: 7

Quote from: OmegaStarScream on February 22, 2022, 03:04:00 AM

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

Been open source is helpful but we need to wait for some time before update it, allowing people to check it first.
I believe many people will immediately update it as soon as new update released without any doubt.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Also I don't think trezor can force people to update their firmware if they don't want to. I guess they could make it incompatible but since there are other drivers that can be used and it's open source, that makes things a lot harder for them to succeed in an attack.

OmegaStarScream

staff

Activity: 3402

Merit: 6065

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

erictan90

newbie

Activity: 22

Merit: 7

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

Topic: How to prevent if The Trezor release new firmware update to steal Bitcoin (Read 127 times)