Author

Topic: TREZOR can Hacked ? (Read 253 times)

legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
July 05, 2018, 07:04:24 PM
#15
The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.
You can't just randomly select words from the BIP39 wordlist and expect to get a valid seed mnemonic.

Part of the last word value is a "checksum" that is derived from the rest of mnemonic. If you're randomly picking words, it is highly likely that you're going to end up with an invalid checksum... from memory the odds of picking a word that includes a valid checksum are something like 8/2048 (there are usually around 8 words that will have the correct checksum out of the possible 2048).


OPs best option, if they're concerned, is to simply wipe the device and set it up from scratch again as suggested above (it'll generate a new random seed).

Aw geez. Thank you for correcting me! I had a feeling that my memory was off but couldn't quite put my finger on it.
HCP
legendary
Activity: 2086
Merit: 4363
July 05, 2018, 06:23:24 PM
#14
The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.
You can't just randomly select words from the BIP39 wordlist and expect to get a valid seed mnemonic.

Part of the last word value is a "checksum" that is derived from the rest of mnemonic. If you're randomly picking words, it is highly likely that you're going to end up with an invalid checksum... from memory the odds of picking a word that includes a valid checksum are something like 8/2048 (there are usually around 8 words that will have the correct checksum out of the possible 2048).


OPs best option, if they're concerned, is to simply wipe the device and set it up from scratch again as suggested above (it'll generate a new random seed).
legendary
Activity: 1268
Merit: 1009
July 04, 2018, 02:01:57 PM
#13
Yes Sir, I did this mistake. I already install it successfully, I want to know now its have any possibility to hacked.

Just to make sure you're fully safe, you can wipe your Trezor device and start initializing again with a new seed.
This can be accessed by pressing "Advanced settings" button on Trezor Bridge Interface after you have plugged it.



Out of curiosity, which model of Trezor did you buy?
jr. member
Activity: 37
Merit: 1
July 04, 2018, 10:43:59 AM
#12
The mistake was to order something like this to your work place, only reasonable option is to order it at your home address so you would avoid someone open the package. It's probably just a question of a curiosity, but it's definitely not okay to open a package that is not named in your name - this is a classic violation of privacy. Although in this case using of mentioned hardware wallet is not compromised, there is one dose of doubt which remains.

Yes Sir, I did this mistake. I already install it successfully, I want to know now its have any possibility to hacked.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
July 04, 2018, 03:40:22 AM
#11
The mistake was to order something like this to your work place, only reasonable option is to order it at your home address so you would avoid someone open the package. It's probably just a question of a curiosity, but it's definitely not okay to open a package that is not named in your name - this is a classic violation of privacy. Although in this case using of mentioned hardware wallet is not compromised, there is one dose of doubt which remains.
legendary
Activity: 3122
Merit: 1140
July 03, 2018, 06:18:37 PM
#10
I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack. Where do you order the item?

Did you even bother to read the whole thread? The package arrived to his office intact and he saw that someone has already opened it. There is no point in contacting the manufacturer because it's not their fault.
On these kind of cases manufacturer wont really be liable on this kind of case as long the reciever of such package do accept it on sealed box and later on it found out to be open then the sender isnt liable.
I believe it has been opened for a curious office mate  Grin If someone on the place had a knowledge about cryptocurrencies and hardware wallets then you are possible at risk but on a short period of time i dont think it had been compromised.
legendary
Activity: 1876
Merit: 3139
July 03, 2018, 04:26:51 PM
#9
I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack. Where do you order the item?

Did you even bother to read the whole thread? The package arrived to his office intact and he saw that someone has already opened it. There is no point in contacting the manufacturer because it's not their fault.
hero member
Activity: 2786
Merit: 657
Want top-notch marketing for your project, Hire me
July 03, 2018, 01:02:58 PM
#8
I bought a trezor, they delver it to my office unfortunately I forgot it at my office and next day I saw someone open it and its not intact.
Is there have any possibility to hacked. I setup it but now i scared is it safe now for me. please suggest me what can i do now.
Both Trezor and Ledger Nano S wallet are secure wallet but can be hack if you dont avoid the necessary error but with the wallet package not intact. I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack.
Where do you order the item?
jr. member
Activity: 37
Merit: 1
July 03, 2018, 12:03:24 PM
#7
Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.

You should be safe if you installed the firmare by yourself and generated the seed. It looks like the person who opened your package didn't know what to do with it.
Remember to check your seed (it's available on TREZOR wallet page) because you will need it to recover your coins.

Thanks a lot, now I feel free.
jr. member
Activity: 37
Merit: 1
July 03, 2018, 11:55:54 AM
#6
You mean someone opened the box or someone opened / broke apart the hardware wallet itself?

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

The wallets hardware and firmware itself is fairly tamper-proof, so if someone tried to update your Trezor with malicious code you'd get a warning whenever you try to access your wallet. The physical hardware itself is rather unlikely to be opened up and tampered with without any obvious signs.

SatoshiLabs has a nice overview of possible (known) attack vectors btw:
https://doc.satoshilabs.com/trezor-faq/threats.html



I mean Someone opened the packet.
legendary
Activity: 1876
Merit: 3139
July 03, 2018, 11:50:54 AM
#5
Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.

You should be safe if you installed the firmare by yourself and generated the seed. It looks like the person who opened your package didn't know what to do with it.
Remember to check your seed (it's available on TREZOR wallet page) because you will need it to recover your coins.
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
July 03, 2018, 11:49:34 AM
#4
You mean someone opened the box or someone opened / broke apart the hardware wallet itself?

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

The wallets hardware and firmware itself is fairly tamper-proof, so if someone tried to update your Trezor with malicious code you'd get a warning whenever you try to access your wallet. The physical hardware itself is rather unlikely to be opened up and tampered with without any obvious signs.

SatoshiLabs has a nice overview of possible (known) attack vectors btw:
https://doc.satoshilabs.com/trezor-faq/threats.html


Edit: I was utterly mistaken regarding the BIP-0039 mnemonic. Please refer to HCP's post below.
jr. member
Activity: 37
Merit: 1
July 03, 2018, 11:35:57 AM
#3
TREZOR comes without any pre-loaded software, it's downloaded automatically from their servers once you initialize it. Plug it in and check if the device asks you to install firmware. If so, I would consider it as safe. Check if it isn't physically damaged. It would be difficult for anyone to tamper with the device without damaging the case.

Edit: I have just read your post once again and I see that you have already initialized it. Do you remember if it was downloading the firmware? Is the case damaged or scratched?

Thanks a lot,
Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.
legendary
Activity: 1876
Merit: 3139
July 03, 2018, 11:30:13 AM
#2
TREZOR comes without any pre-loaded software, it's downloaded automatically from their servers once you initialize it. Plug it in and check if the device asks you to install firmware. If so, I would consider it as safe. Check if it isn't physically damaged. It would be difficult for anyone to tamper with the device without damaging the case.

Edit: I have just read your post once again and I see that you have already initialized it. Do you remember if it was downloading the firmware? Is the case damaged or scratched?
jr. member
Activity: 37
Merit: 1
July 03, 2018, 11:17:30 AM
#1
I bought a trezor, they delver it to my office unfortunately I forgot it at my office and next day I saw someone open it and its not intact.
Is there have any possibility to hacked. I setup it but now i scared is it safe now for me. please suggest me what can i do now.
Jump to: