Topic: Trezor Model One wallet and thoughts (Read 238 times)

I never saw a single fake trezor device that was successfully used for scamming people, there were some cloned devices that used trezor code but I don't know a single verified case of people losing funds like that.
On the other hand, we all saw those fake ledger devices that used fake pcb board, they looked exactly the same from the outside, had the same packaging, but software was different.
All this was result of ledger leak that resulted in release of home addresses, phone numbers, names and other information from their customers.

Could something similar happen with Trezor after recent Mailchimp leak?
- It's possible, so better be aware of this.

Well, they haven't denied the existence of the vulnerability. I don't know if they got their hands on one of these hacking devices, but again it does not matter, because it's just a technicality. Just a way to make the attack cheaper and faster, which I already said is definitely possible. Just that this one video of a black box and a software with a progress bar doesn't add much value really.

Even for kingpin, the development of the exploit took 3 months, but the execution only a few hours (since he had to wait for the brute-force timing attempt to hit just right).
It's an important distinction to make: time spent researching and time spent executing.

As I said before, I can definitely see how a purpose-made PCB with perfect hard-coded timings and connections can get the job done in 5 minutes and $100 of materials. Just that getting that board will take you months or years of research to find the vulnerability, develop an attack, perfect the attack, and bake it into a PCB.

The required hardware for the attack isn't expensive, but it's also important to mention that you have to know exactly what you are doing. Ledger's Donjon team hacked a Trezor several years ago, but nothing was released to the public, of course. There isn't much information that could help anyone else to repeat the procedure. They know what they were doing and with that knowledge, they can get the job done in 5 minutes. But Kingpin, despite being a good hardware hacker, didn't have the needed information or couldn't use whatever details were released in the statements by Ledger to help him hack a Trezor One. He went a different route and it took him 3 months.   

Do you think that one company would just make such accusations if they are not true? In addition, Trezor never denied that all the allegations made were completely correct - otherwise, the whole thing would have ended with a lawsuit.

Oh wow, they developed a custom PCB that performs the whole attack sequence, that's interesting. I only knew about the 'proof-of-concept' that required a pretty sophisticated setup with multi-thousands-$ scope and such and a lot of knowledge, which you can imagine was probably something like what kingpin did in this video. But sure, it should be possible to design a PCB around an FPGA and all the necessary logic to accurately inject a fault into the target wallet.
But this would be a 'custom hacking board' tailor-made just for Trezor (a little bit like an ASIC for Trezor hacking ) which is not easy to get your hands on. The video where they demo this custom PCB also doesn't really prove anything, for what we know it could easily be fake.
I would agree though that it is technically possible to build a dedicated hacking device that doesn't require too much skill to use.

One that has been known to the public since 2019, and it is obvious that this vulnerability has existed from the very beginning, but no one has discovered it before. The vulnerability can only be patched if the user uses a strong enough passphrase or SD card backup.

If the conflict escalated to a global extend, getting a  new Trezor would be one my last concerns, keeping in mind with this be the first time both sides have a nuclear arsenal at their disposition.

Hopefully, this wont happen and we shall see the new product this year or next one.

This should be the first mostly open source secure element with transparent schematics in the world, but honestly I am little concerned if they will be able to release it this year.
Not many people know but China is in crazy situation now, Shanghai is locked for weeks, everything stopped, I am hearing reports of main ports big delays, and army numbers is growing near Taiwan (place that should make new OS chips for Trezor).
Not so fun  fact is that every time we had big hyperinflation in the world, it was followed by global dictatorship and then with world war.

I am sure he spend much more for making this video and he needed a lot more time for cracking that wallet, and he can't repeat that again.
However I have to admit this was good investment and advertising campaign for Kingpin.

Which Trezor attack only costs $100 and can be performed in 5 minutes? Anything I've seen so far, took way longer and required more expensive equipment. Just the scope in the kingpin video probably cost $5,000 or more (though you can get away with something bottom-of-the-barrel for roughly $500).

I think this should be especially emphasized when it comes to Trezor, because the customer must know that he is buying something that has a vulnerability that can be very easily exploited if the device falls into the wrong hands without additional protection (passphrase). Hacking that costs about $100 in equipment and about 5 minutes in the time it takes to hack a device is a serious security flaw.

As far as I know, such a vulnerability does not exist on other hardware wallets, although one should always count on someone to be able to find a similar vulnerability in the future. Personally, I'm not afraid that someone will steal my HW and hack it, but that someone will discover a way to hack our HW remotely when we connect them online, no matter how unbelievable it may seem at the moment.

Yes, that's the idea. It is supposed to be as open-source as possible. They have used that wording a few times. It's either too dangerous or really difficult to make it absolutely open-source. But it's going to be giant step forward compared to older secure elements that are completely closed-source.   

While this indeed worth mentioning, I would also consider all hardware wallets (more or less) hackable if one gets his hand on them. Maybe some weren't proven so yet, still, better safe than sorry.

Will this the first open-source secure element ever made, right?

I am generally cautious with making claims that I can't back up and prove, so I can't say what someone does or doesn't do intentionally. I can only have an opinion. My opinion is that it shouldn't have happened and it's another dent in their reputation. They seem to be messing up on all fronts. Earning money is the goal of all businesses, and most companies will always favor profit than the interest of their users no matter what they say or claim in their PRs and statements. That doesn't mean I like it, it's just the way it is.

It can still be purchased, but the bigger fear is not stopping its production, but ending the support for it.

I doubt it will. A brand-new device with revolutionary secure element that is supposed to be fully open-source doesn't come cheap.

Right.
It was not always that expensive I think, in 2020 was like barely over 100 Euros or something.

Perphaps, it is still an option for someone who has no problem with paying more and is highly privacy/monero driven. Nonetheless, your recommendations would be always be welcome considering that you seem to be person who is actually concerned to filter the good quality HWs from those that are not worth neither the money nor the time.

Also, I am eager to see what the next gen of Trezor wallets will offer, I am afraid it will not be cheap at all, tho.

Current price for Trezor model T is higher than I would like to spend and it' not justified in my opinion, just because they added bigger screen with few more supported coins with bigger memory.
For price of over 220 euros plus shipping I could get much better air-gapped open source hardware wallets like Passport or Keystone, and I would have extra money left in my wallet.
When Trezor finish making new wallet with secure element than I will consider recommending it again, after I test it or see some reviews.

This are not bugs for ledger S plus, it was intentionally made like this because they speed up development without completing the code, and they wanted to earn more money as soon as possible.
It doesn't really matter if old S device support most coins like model X when you can only install few coins, and when they stop manufacturing it...

One difference between a Trezor and a Ledger is that all 3 of the currently sold Ledger hardware wallets support the same coins. Actually, the Nano S+ is currently experiencing bugs where there is a lack of support for several altcoins. The developers hurried with the release without checking everything properly. With the 2 Trezor models that is not the case. Because of that, you will have to check if the assets you plan to store on your Trezor One are even supported. 

Trezors don't have secure elements, and to increase your security you really should use a strong passphrase.
I like Trezor even if I don't own one personally. What I don't like about the Model One is that the seed words are entered into a software and not on the device itself. With Model T, they changed this and you enter the words into the hardware wallet only. Everything else has already been covered by other users.   

I personally recommend it, I got a Trezor One as a gift in 2020 and I am happy with it.

The main Pro's

the wallet is open source and the philosophy of Satoshilabs is good when comes to privacy and crypto-identity, albeit they are humans so they are still subjected to mistakes.

They have a good history of transparency with the flaws and weak points of their products, and if they have even kept anything hidden it was because confidentiality agreements between them and their chip provider, this has led them to found Tropic Square.

The devices are easy to use, they offer regular updates and security patches and they support most of the important projects within the crypto ecosystem. It can also be used as auth key, so you can protect your Google, Binance, Microsoft and other accounts from unauthorized access.

The main Con's:

In the case of the trezor one, the first thing that comes to mind is the lack of support with comes to important projects that have recently appeared.
For example, Trezor One supports projects that back in the day may have been quite important withtin the community, like Bitcoin Cash, Namecoin, Peercoin or Bitcoin Gold... but these projects have lost relevance in favor of others like Cardano or Monero. You could find in a situation where you would like to store Cardano or Monero in your Trezor One, but you can't while you could store other coins which do not catch your attention at all.

Trezor T, on the other hand, supports Cardano and Monero. So be aware of this before proceeding with your purchase.

Some people take like a con the materials of the Trezor One, they say it feel fragile or "cheap" for the 50$+ it is worth. I do not think so, in my opinion one needs to keep in mind this is not supposed to be a "premium" wallet and the fact Satoshilabs continues to offer patches and support to this device (coders are not free).

One may feel the materials are not good at first when you unbox the Trezor and have it on your hand, but when one start to use and get used to the device, one can tell it is a good designed one, imo.


Nothing serious, The wallet itself is kind of vulnerable to be cracked if a thief has prolonged physical access to it. Because of this it is recommended to use it with a passphrase to add an extra layer of security, just be careful not to lose it, otherwise you will lose access to your coins.

In case you dont want to use a passphare, keep your wallet (and seed, obviusly) in a separate and safe place and check on it every now and then, in case you lose the wallet, you must use the seed as soon as possible to move your funds to another wallet you control, in case someone is already trying to crack your lost wallet.



Trezor one, I believe it is quite good for DEX which Blockchains are compatible with, you will need to use an external wallet/addon in order to do so, like metamask.
I have tested it with Uniswap and I have done swaps on Ronin Wallet's DEX, it has worked flawlessly. Be aware that Trezor One is not compatible with Binance Smart Chain, as far as I am aware, so you won't be able to interact with that blockchain. Trezor T, on the other hand, it is and can store Binance Coin.

Trezor one allows you to visualize and keep track of your ETH tokens natively.




Because of the open-source nature of Trezor One, even if Satoshilabs goes out business their code may be picked-up by some developer of good reputation to continue with the support/development.

In any case, as long as you keep your seed save(and passphrase, in case you set one up) you will have no problem to access your funds from another hardware wallet or software wallet which allows you to import your seeds onto it.

Just keep in mind, that the moment you import a seed generated from a Trezor to a software/hot wallet, that seed is not longar as secure as used to be before importing it, because now has "touched" an internet connected machine. In that case, you should never import that seed again back to a hardware wallet, but generate another seed instead.

Please, be sure that even after reading our recommendations to do your own research, have a good day.

I am not using any of the fake Dex exchanges that run on shitcoin networks because they are all centralized, so I can't share my experience on that.
However I do know that many hardware wallets have problem with blind signing that can create a lot of issue with those exchanges.
I wouldn't choose ledger nono S because it only supports few apps and it's stopping with production, nono s plus still doesn't support all apps, and nono X is terrible device with bad battery and firmware issues.
Trezor have similar issues wih blind signing, and I think only Kestone wallet fixed those issue with different approach, but do your own research about that.

If you are buying something, my philosophy is that it is always better to buy the latest model than a model that has been around for years - because the newer model has some features that the old one does not have, and will certainly have support longer than the old one.


If you haven’t seen it already, here’s a good comparison of both models -> https://trezor.io/#comparison

The only problem that Trezor has is a vulnerability in the hardware that allows hacking the device if someone comes into its possession. It has been written about many times, and recently in this topic, so I don't think everything should be repeated.

Trezor is a good choice, and how much better or worse it is than the competition is a topic on which there are as many opinions as there are members on this forum.