Author

Topic: Trezor announces Tropic Square (Read 178 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
May 18, 2020, 01:57:45 AM
#10
I'm not overly concerned about this particular vulnerability either, but if Trezor can do something to eliminate it I would be all in favor.  It sounds like all of our Trezors will become obsolete once Trezor finds a workable hardware solution.  I wish them much success. 

I wouldn't say older Trezor HW wallet become obsolete since it's secure enough unless you're specifically targeted by professional hacker.

Actually, in the lastest Trezor T update, they introduced SD card protection. A randomly generated secret is stored on an SD card which along with the PIN is used to decrypt the data stored on the device. I have tried it and it works well. Without the SD card, the device is practically useless for the attacker.

It's interesting feature, but i wonder if we can use multiple SD card (by perform raw copy from one SD card to another) in case you lost or broke your SD card which is quite small and fragile Huh
legendary
Activity: 1876
Merit: 3132
May 18, 2020, 04:39:05 AM
#9
It's interesting feature, but i wonder if we can use multiple SD card (by perform raw copy from one SD card to another) in case you lost or broke your SD card which is quite small and fragile Huh

Sure! Trezor automatically creates a folder in the main directory of the SD card (trezor -> device_DEVICEID) inside which there is a small 'salt' file. You can easily copy that folder to any SD card and it will work fine as long as its file system is set to FAT32.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
May 17, 2020, 10:04:36 AM
#8
Actually, in the lastest Trezor T update, they introduced SD card protection. A randomly generated secret is stored on an SD card which along with the PIN is used to decrypt the data stored on the device. I have tried it and it works well. Without the SD card, the device is practically useless for the attacker.

That's a pretty cool feature, but I have't played with it yet.  Honestly, I've been using my T1 mostly in recent months since it's smaller and more easily portable.  I have a very strong passphrase set.  I'm confident I'll have ample time to notice if it goes missing.
legendary
Activity: 1876
Merit: 3132
May 17, 2020, 09:57:55 AM
#7
This is not a huge vulnerability imo, as the attacker would need pyshical access and you can use a passphrase which would make it much harder to exploit. Isn't it?

I don't feel affected myself either. The probability of a physical attack is really low. Still, I think that we should keep talking about this issue in case someone missed it.

I'm not overly concerned about this particular vulnerability either, but if Trezor can do something to eliminate it I would be all in favor.

Actually, in the lastest Trezor T update, they introduced SD card protection. A randomly generated secret is stored on an SD card which along with the PIN is used to decrypt the data stored on the device. I have tried it and it works well. Without the SD card, the device is practically useless for the attacker.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
May 17, 2020, 09:34:53 AM
#6
You should read the rest of the text on your own, especially if you are disappointed with the recently found vulnerabilities in Trezor.

Are you talking about the vulnerability discovered by Ledger about an year ago?
https://news.bitcoin.com/ledger-reveals-physical-exploits-against-trezor-hardware-wallets/

Or is there any other?

This is not a huge vulnerability imo, as the attacker would need pyshical access and you can use a passphrase which would make it much harder to exploit. Isn't it?

I don't want to speak for BitCryptex, but I believe that is indeed the only vulnerability known to afflict the Trezor.   And yes, It can be mitigated by assigning a strong Bip39 passphrase.

I'm not overly concerned about this particular vulnerability either, but if Trezor can do something to eliminate it I would be all in favor.  It sounds like all of our Trezors will become obsolete once Trezor finds a workable hardware solution.  I wish them much success. 
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
May 17, 2020, 09:02:41 AM
#5
You should read the rest of the text on your own, especially if you are disappointed with the recently found vulnerabilities in Trezor.

Are you talking about the vulnerability discovered by Ledger about an year ago?
https://news.bitcoin.com/ledger-reveals-physical-exploits-against-trezor-hardware-wallets/

Or is there any other?

This is not a huge vulnerability imo, as the attacker would need pyshical access and you can use a passphrase which would make it much harder to exploit. Isn't it?
legendary
Activity: 2730
Merit: 7065
May 17, 2020, 07:33:28 AM
#4
Trezor claims that the vendor is not going to share those flaws with their clients as well.
Yes, I know. It seems like an irresponsible and bad move if they are trying to fix the flaw.

If they are not, this is the situation:
The vendor knows about a vulnerability. Trezor discovered the same vulnerability but can't make it public due to their NDA agreement. The vendor is aware that Trezor discovered the flaw but their response is that nobody is allowed to talk about it. Seems like the customers are the ones who have to hope that their funds will stay safe...
legendary
Activity: 1876
Merit: 3132
May 15, 2020, 09:18:36 AM
#3
The article didn't mention if they are obliged to share their findings with Ledger as a condition of the NDA in the same way that Ledger did in the past when they discovered those Trezor vulnerabilities.  

Their findings are related to a specific Secure Element; not necessarily the one Ledger uses in one of their devices. They would disclose the vulnerabilities but they can't because they have signed a non-disclosure agreement (NDA) to get the full documentation of the chip. Trezor claims that the vendor is not going to share those flaws with their clients as well.
legendary
Activity: 2730
Merit: 7065
May 15, 2020, 07:40:39 AM
#2
I wonder if what the Trezor team discovered about the secure element should be a worrying sign for Ledger and Ledger hardware wallet users Huh
The article didn't mention if they are obliged to share their findings with Ledger as a condition of the NDA in the same way that Ledger did in the past when they discovered those Trezor vulnerabilities.   
legendary
Activity: 1876
Merit: 3132
May 14, 2020, 06:26:49 PM
#1
Trezor announced the foundation of Tropic Square - a company whose aim will be to develop a chip which will be open and fully audible. The rest of the article reveals that Trezor attempted to create a new device with Secure Element and they managed to find some flaws in the chip which they are unable to disclose due to NDA. You should read the rest of the text on your own, especially if you are disappointed with the recently found vulnerabilities in Trezor.
Jump to: