TREZOR can Hacked ? | Bitcointalksearch.org

HeRetiK

legendary

Activity: 2912

Merit: 2066

Quote from: HCP on July 05, 2018, 07:23:24 PM

Quote from: HeRetiK on July 03, 2018, 12:49:34 PM

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

You can't just randomly select words from the BIP39 wordlist and expect to get a valid seed mnemonic.

Part of the last word value is a "checksum" that is derived from the rest of mnemonic. If you're randomly picking words, it is highly likely that you're going to end up with an invalid checksum... from memory the odds of picking a word that includes a valid checksum are something like 8/2048 (there are usually around 8 words that will have the correct checksum out of the possible 2048).

OPs best option, if they're concerned, is to simply wipe the device and set it up from scratch again as suggested above (it'll generate a new random seed).

Aw geez. Thank you for correcting me! I had a feeling that my memory was off but couldn't quite put my finger on it.

HCP

legendary

Activity: 2086

Merit: 4316

Quote from: HeRetiK on July 03, 2018, 12:49:34 PM

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

You can't just randomly select words from the BIP39 wordlist and expect to get a valid seed mnemonic.

Part of the last word value is a "checksum" that is derived from the rest of mnemonic. If you're randomly picking words, it is highly likely that you're going to end up with an invalid checksum... from memory the odds of picking a word that includes a valid checksum are something like 8/2048 (there are usually around 8 words that will have the correct checksum out of the possible 2048).

OPs best option, if they're concerned, is to simply wipe the device and set it up from scratch again as suggested above (it'll generate a new random seed).

notaek

legendary

Activity: 1268

Merit: 1009

Quote from: Cogy on July 04, 2018, 11:43:59 AM

Yes Sir, I did this mistake. I already install it successfully, I want to know now its have any possibility to hacked.

Just to make sure you're fully safe, you can wipe your Trezor device and start initializing again with a new seed.
This can be accessed by pressing "Advanced settings" button on Trezor Bridge Interface after you have plugged it.

Out of curiosity, which model of Trezor did you buy?

Cogy

jr. member

Activity: 37

Merit: 1

Quote from: Lucius on July 04, 2018, 04:40:22 AM

The mistake was to order something like this to your work place, only reasonable option is to order it at your home address so you would avoid someone open the package. It's probably just a question of a curiosity, but it's definitely not okay to open a package that is not named in your name - this is a classic violation of privacy. Although in this case using of mentioned hardware wallet is not compromised, there is one dose of doubt which remains.

Yes Sir, I did this mistake. I already install it successfully, I want to know now its have any possibility to hacked.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

The mistake was to order something like this to your work place, only reasonable option is to order it at your home address so you would avoid someone open the package. It's probably just a question of a curiosity, but it's definitely not okay to open a package that is not named in your name - this is a classic violation of privacy. Although in this case using of mentioned hardware wallet is not compromised, there is one dose of doubt which remains.

dunfida

legendary

Activity: 3122

Merit: 1140

Quote from: Rath_ on July 03, 2018, 05:26:51 PM

Quote from: suzanne5223 on July 03, 2018, 02:02:58 PM

I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack. Where do you order the item?

Did you even bother to read the whole thread? The package arrived to his office intact and he saw that someone has already opened it. There is no point in contacting the manufacturer because it's not their fault.

On these kind of cases manufacturer wont really be liable on this kind of case as long the reciever of such package do accept it on sealed box and later on it found out to be open then the sender isnt liable.
I believe it has been opened for a curious office mate Grin

If someone on the place had a knowledge about cryptocurrencies and hardware wallets then you are possible at risk but on a short period of time i dont think it had been compromised.

Rath_

legendary

Activity: 1876

Merit: 3132

Quote from: suzanne5223 on July 03, 2018, 02:02:58 PM

I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack. Where do you order the item?

Did you even bother to read the whole thread? The package arrived to his office intact and he saw that someone has already opened it. There is no point in contacting the manufacturer because it's not their fault.

suzanne5223

hero member

Activity: 2660

Merit: 651

Want top-notch marketing for your project, Hire me

Quote from: Cogy on July 03, 2018, 12:17:30 PM

I bought a trezor, they delver it to my office unfortunately I forgot it at my office and next day I saw someone open it and its not intact.
Is there have any possibility to hacked. I setup it but now i scared is it safe now for me. please suggest me what can i do now.

Both Trezor and Ledger Nano S wallet are secure wallet but can be hack if you dont avoid the necessary error but with the wallet package not intact. I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack.
Where do you order the item?

Cogy

jr. member

Activity: 37

Merit: 1

Quote from: Rath_ on July 03, 2018, 12:50:54 PM

Quote from: Cogy on July 03, 2018, 12:35:57 PM

Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.

You should be safe if you installed the firmare by yourself and generated the seed. It looks like the person who opened your package didn't know what to do with it.
Remember to check your seed (it's available on TREZOR wallet page) because you will need it to recover your coins.

Thanks a lot, now I feel free.

Cogy

jr. member

Activity: 37

Merit: 1

Quote from: HeRetiK on July 03, 2018, 12:49:34 PM

You mean someone opened the box or someone opened / broke apart the hardware wallet itself?

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

The wallets hardware and firmware itself is fairly tamper-proof, so if someone tried to update your Trezor with malicious code you'd get a warning whenever you try to access your wallet. The physical hardware itself is rather unlikely to be opened up and tampered with without any obvious signs.

SatoshiLabs has a nice overview of possible (known) attack vectors btw:
https://doc.satoshilabs.com/trezor-faq/threats.html

I mean Someone opened the packet.

Rath_

legendary

Activity: 1876

Merit: 3132

Quote from: Cogy on July 03, 2018, 12:35:57 PM

Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.

You should be safe if you installed the firmare by yourself and generated the seed. It looks like the person who opened your package didn't know what to do with it.
Remember to check your seed (it's available on TREZOR wallet page) because you will need it to recover your coins.

HeRetiK

legendary

Activity: 2912

Merit: 2066

You mean someone opened the box or someone opened / broke apart the hardware wallet itself?

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase ~~and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt~~

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

The wallets hardware and firmware itself is fairly tamper-proof, so if someone tried to update your Trezor with malicious code you'd get a warning whenever you try to access your wallet. The physical hardware itself is rather unlikely to be opened up and tampered with without any obvious signs.

SatoshiLabs has a nice overview of possible (known) attack vectors btw:
https://doc.satoshilabs.com/trezor-faq/threats.html

Edit: I was utterly mistaken regarding the BIP-0039 mnemonic. Please refer to HCP's post below.

Cogy

jr. member

Activity: 37

Merit: 1

Quote from: Rath_ on July 03, 2018, 12:30:13 PM

TREZOR comes without any pre-loaded software, it's downloaded automatically from their servers once you initialize it. Plug it in and check if the device asks you to install firmware. If so, I would consider it as safe. Check if it isn't physically damaged. It would be difficult for anyone to tamper with the device without damaging the case.

Edit: I have just read your post once again and I see that you have already initialized it. Do you remember if it was downloading the firmware? Is the case damaged or scratched?

Thanks a lot,
Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.

Rath_

legendary

Activity: 1876

Merit: 3132

TREZOR comes without any pre-loaded software, it's downloaded automatically from their servers once you initialize it. Plug it in and check if the device asks you to install firmware. If so, I would consider it as safe. Check if it isn't physically damaged. It would be difficult for anyone to tamper with the device without damaging the case.

Edit: I have just read your post once again and I see that you have already initialized it. Do you remember if it was downloading the firmware? Is the case damaged or scratched?

Cogy

jr. member

Activity: 37

Merit: 1

I bought a trezor, they delver it to my office unfortunately I forgot it at my office and next day I saw someone open it and its not intact.
Is there have any possibility to hacked. I setup it but now i scared is it safe now for me. please suggest me what can i do now.

Topic: TREZOR can Hacked ? (Read 222 times)