Author

Topic: Trezor firmware update (Read 155 times)

legendary
Activity: 2590
Merit: 3015
Welt Am Draht
June 03, 2020, 05:38:28 PM
#4
You might want to read the release and the detailed explanation again... it's not an issue with the hardware wallet so much as it is a fundamental problem with the design of SegWit transaction validation.

I read it. Yes I know, but many others are caused by design or hardware flaws. I can see a day where I take the seed elsewhere as an issue comes up that can't be solved. It's an eternal battle that'll probably only heat up as the years grind onwards.
HCP
legendary
Activity: 2086
Merit: 4361
June 03, 2020, 05:00:58 PM
#3
I guess I should've expected an endless stream of niggles and holes with hardware wallets, but it still surprises me when yet another pops up.
You might want to read the release and the detailed explanation again... it's not an issue with the hardware wallet so much as it is a fundamental problem with the design of SegWit transaction validation.

Note that this vulnerability is inherent in the design of BIP-143

I would think that theoretically any wallet could be exploited like this, not just hardware wallets... but looking at the details, I'd agree with Trezor's assessment that it is indeed a "corner case" and not likely to be a "real" problem.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
June 03, 2020, 04:33:53 PM
#2
Saleem Rashid strikes again. He IS a hardware wallet.

I guess I should've expected an endless stream of niggles and holes with hardware wallets, but it still surprises me when yet another pops up. At least it's reassuring that there are many eyes out there scrutinising these things. I'm waiting for the Big One though.
copper member
Activity: 1652
Merit: 1325
I'm sometimes known as "miniadmin"
June 03, 2020, 09:37:17 AM
#1
I've just received the following email from Trezor:

Quote from:  Trezor Email
Latest Firmware Updates Correct Possible Segwit Transaction Vulnerability
Thanks to a report by Saleem Rashid via our responsible disclosure program, we were notified of a potential security vulnerability in Segwit transactions. This issue is a result of design choices in the Bitcoin protocol and is not a vulnerability specific to Trezor.

As this is a corner case, it is highly unlikely that you will encounter this problem. Segwit transactions are not affected if they are already on the blockchain and there is a rare possibility of this issue even if you are signing a new transaction while you have malware on your computer.

Even though this is a very improbable scenario and it will eventually be resolved by the Bitcoin community, SatoshiLabs is dedicated to correcting all problems, even those outside of normal operating parameters, no matter their likelihood. The firmware updates for Trezor One (version 1.9.1) and Trezor Model T (version 2.3.1) change how Segwit transactions are handled and correct this.

Check out our dev corner for a more detailed explanation.

Yours,
Trezor
It looks like the problem comes from the network rather than Trezor themselves. A patch for Electrum is also coming to solve this; but....

Quote
We are providing a patch for Electrum as a pull request #6198. It will be impossible to use Electrum with Trezor 1.9.1 and 2.3.1 until this patch is released.
Jump to: