Author

Topic: Trezor wallet can be hacked into before it boots up (Read 1254 times)

newbie
Activity: 28
Merit: 0
Read all about it here:
https://steemit.com/trezor/@lexiconical/trezor-hack-devices-are-not-secure-private-key-can-be-extracted-at-startup

There is a way to keep it secure hope to hear about it in the next firmware update. Embarrassed

no it does not hacked by any one. trezor wallet had great features it is one of the best hardware wallet it can save private keys more secure and no one can hack to this. if you have to creatings private keys then don't reavel to others. like it is more important to keep maintain secure.
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.

While I don't want to create an argument there is one thing not being considered by your approach. Most Trezor users actually move and use BTC, perhaps even on their mobile phones etc.....  A paper wallet has no hidden wallet feature.  If I find the paper wallet its game over.  If you find and grab one of my Trezors, and even if you can fully breach it (you won't), you will ONLY find the decoy "crumbs" I left just for that purpose.  My real nest egg will be beyond your reach and you can't even prove it exists.  Thats all thanks to BIP39 and features external to the hardware device.

Yep, precisely. The fact that you can use cold storage with the ease of a hot wallet is liberating. Using an airgapped computer to sign transactions gets old real fast. However that's just my humble opinion. Everyone has their own use cases and security needs.

Apart from that, rest assured that even knowing the seed words won't help an attacker if your passphrase is long enough. You could basically create a paperwallet that can be used on a non-airgapped device via trezor without fearing to expose the private key.
hero member
Activity: 761
Merit: 606
Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.

While I don't want to create an argument there is one thing not being considered by your approach.  Most Trezor users actually move and use BTC, perhaps even on their mobile phones etc.....  A paper wallet has no hidden wallet feature.  If I find the paper wallet its game over.  If you find and grab one of my Trezors, and even if you can fully breach it (you won't), you will ONLY find the decoy "crumbs" I left just for that purpose.  My real nest egg will be beyond your reach and you can't even prove it exists.  Thats all thanks to BIP39 and features external to the hardware device.
legendary
Activity: 966
Merit: 1042
Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.
hero member
Activity: 761
Merit: 606
Guys please read and study the link placed in the post above this one and repeated here:

Quote
They have also released a full report detailing the vulnerability: https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522

The explanation of how this fix removes the RAM/SEED issue will hopefully become clear as you follow along.  If not come back and ask.  Your Trezors are not junk so don't believe everything you read since misinformation abounds on the net.  Your valuable SEED words have now been internally flagged in the Trezor firmware and moved to the beginning of RAM defeating this attack.  One important note is to stop and realize that even with NO changes or updates nobody can do anything to a Trezor without having it in their hands.  Paper wallets, which many brag about, are completely compromised IF you have one of them in your hands.  This new update will keep physical security of a Trezor pretty tight, and certainly much better than a paper wallet in someone's hand.  Both are impossible if they are NOT in your physical possession.  Lastly, as I have preached for a long time, you may want to utilize the BIP39 standard and incorporate significant passphrases for hidden wallets.  None of the extended seed info is ever stored on a hardware wallet so even in a total breach (very unlikely to ever happen) your coins are safe.  Caveat:  I am not affiliated with Trezor mfgs, but I hate all the misinformation that others are circulating.

staff
Activity: 3458
Merit: 6793
Just writing some code
Trezor has already released an updated firmware that fixes this problem: https://blog.trezor.io/trezor-firmware-security-update-1-5-2-5ef1b6f13fed

They have also released a full report detailing the vulnerability: https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522

Lastly, the medium post that is often referred to is vague, describes the attack that was already fixed, and does not describe any new attack or any details of how the attack used for <1.5.1 firmware versions would work on 1.5.2. It is highly suspicious, does not follow responsible disclosure, is asking people for money for the attack, and in general, does not appear to be credible at all. Independent researchers had discovered the vulnerability too and the fixes for it were in the public github repository, so it seems that that person simply looked at the commits that fixed the problem and decided to FUD about it.
hero member
Activity: 589
Merit: 502
Read all about it here:
https://steemit.com/trezor/@lexiconical/trezor-hack-devices-are-not-secure-private-key-can-be-extracted-at-startup

There is a way to keep it secure hope to hear about it in the next firmware update. Embarrassed
Jump to: