[PSA] Non-genuine Trezor One devices spotted

gentlemand

legendary

Activity: 2590

Merit: 3008

Welt Am Draht

Quote from: LTU_btc on November 24, 2018, 08:21:03 PM

Does anyone knows where exactly it was spotted? I can't find this information. People need to know where they shouldn't buy this wallet.
It's another warning why people should buy hardware wallets only from official websites and authorised resellers. In this case it's really difficult to spot difference between fake and original wallet, especially if you never had Trezor in your hands.

The only mention I can find is 'online marketplaces' which is presumably Ebay and Amazon.

I can't find any mention of what happens when you connect it to a Trezor interface. It's a tad worrying that the only differences they can offer are the hologram and a mention of being made in China. Both are rectified easily enough.

aoluain

legendary

Activity: 2254

Merit: 1256

We know by now that the only way to eliminate receiving a fake Trezor
is to purchase directly from the manufacturer but if you dont know
that it is easy to get caught by buying a fake at what seems like a deal.

Regarding the hologram, im sure these can be copied. I have seen
copies of PAMP carded Gold bars which were in fact fakes, everything
looked almost perfect including the hologram. The only noticable
difference was the thickness of the "gold" bar. So anything can be copied
near enough to the original to trick people.

Again only way is to buy from the official source.

LTU_btc

legendary

Activity: 3038

Merit: 1330

Slava Ukraini!

Does anyone knows where exactly it was spotted? I can't find this information. People need to know where they shouldn't buy this wallet.
It's another warning why people should buy hardware wallets only from official websites and authorised resellers. In this case it's really difficult to spot difference between fake and original wallet, especially if you never had Trezor in your hands.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: HeRetiK on November 22, 2018, 09:16:23 AM

Trezors come only with the bootloader pre-installed, the firmware is installed when first initializing the device making sure one can start from a clean slate.

Presumably the Trezor clones use the same bootloader, allowing it to install and run the official firmware. If that's the case no warning will be shown on the web interface.

Problem being that while the software may be verified, you have no way of knowing whether the hardware is trustworthy. They could have used less secure components, they could have installed a backdoor on the hardware level, etc.

Actually then there is no way to determine if it is an original or a copy of Trezor hardware wallet, maybe only if user have 100% original Trezor ordered from the manufacturer directly and suspicious product in front of you.

Apart from the difference in holographic seal there are probably some differences in the box and in the hardware wallet itself. Some tips can be seen in this video, but only right way to buy hardware wallet is directly from manufacturer - in this way the possibility to get fake wallet is maximally reduced.

HeRetiK

legendary

Activity: 2912

Merit: 2066

Cashback 15%

Quote from: HCP on November 21, 2018, 08:55:43 PM

Quote from: Lucius on November 21, 2018, 11:32:35 AM

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

Does the Trezor not show a warning about using a modified firmware? I was sure that it had a warning if a firmware that was not signed by SatoshiLabs was loaded... at least as far back as March this year anyway...

https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95

So are these 1:1 copies using modified Firmware AND Bootloaders? Huh

SatoshiLabs haven't really mentioned much... and seem to say that only by looking at the box and label... no onscreen warnings??!? Huh

Trezors come only with the bootloader pre-installed, the firmware is installed when first initializing the device making sure one can start from a clean slate.

Presumably the Trezor clones use the same bootloader, allowing it to install and run the official firmware. If that's the case no warning will be shown on the web interface.

Problem being that while the software may be verified, you have no way of knowing whether the hardware is trustworthy. They could have used less secure components, they could have installed a backdoor on the hardware level, etc.

HCP

legendary

Activity: 2086

Merit: 4314

Quote from: Lucius on November 21, 2018, 11:32:35 AM

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

Does the Trezor not show a warning about using a modified firmware? I was sure that it had a warning if a firmware that was not signed by SatoshiLabs was loaded... at least as far back as March this year anyway...

https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95

So are these 1:1 copies using modified Firmware AND Bootloaders? Huh

SatoshiLabs haven't really mentioned much... and seem to say that only by looking at the box and label... no onscreen warnings??!? Huh

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: ?? on ??

Unfortunately, they don't show difference between fake and real hardware wallet/device whether by physical or software/firmware different.
I'd like to know if desktop wallet software could identify between real/fake trezor and whether using genuine firmware update will break fake trezor.

Only way to see the difference between fake and real Trezor is for now only holographic seal as shown in the pictures, but these holograms are very similar and it is not easy to distinguish them if you not have original and fake package.

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

HeRetiK

legendary

Activity: 2912

Merit: 2066

Cashback 15%

Just a heads-up, SatoshiLabs just sent out a newsletter that the first 1:1 Trezor One clones have been finally spotted in the wild:

https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64e359a7

For the longest time I expected the likes of an evil maid attack [1] to be of mostly theoretical concern, but while a different issue this problem is of similar concern. As of now it seems to be unsure whether these clones are malicious, but I personally wouldn't take any chances.

To any newbies reading this: Be reminded that buying hardware wallets anywhere but from the original vendors is a huge security risk. That's true for any sort of hardware wallet, not just Trezor.

[1] https://doc.satoshilabs.com/trezor-faq/threats.html#evil-maid-attack-replace-the-trezor-with-a-fake

Topic: [PSA] Non-genuine Trezor One devices spotted (Read 252 times)