Topic: What if the Trezor server got compromised? (Read 3549 times)

I see, that makes sense, so the private keys are created based on the recovery key.  Thank you.

nothing will happen if the server is compromised just check their faq for some information about that



I wonder if you export the private key from the trezor?

All of the private keys in the wallet are derived from the recovery seed. Recovering a wallet consists of deriving those keys again from the recovery seed. The name of this system is "hierarchical deterministic wallet" or "HD wallet". The process is also known as BIP 32 and is described in detail here: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

Thank you for the answers.  I'm still a little confused how any wallet can be recovered with the seed without there being a copy of it anywhere.  Since the recovery process is completed using mytrezor and can be done from any machine, there has to be something pertaining to the wallet stored on Satoshi Labs servers. 

1. The wallet exists only on the Trezor. It can be recreated using the recovery seed so there is no need to make a copy.
2. The recovery seed is generated using internal hardware combined with random data from the computer when you set it up. You can also create your own custom seed.
3. The primary danger is a compromised app on the computer swapping an intended receiving address with its own address without you noticing.
4. I don't know, but that can be determined by looking at the code.

I own a couple Trezor's and had some questions I hope can be answered.  I store a lot of BTC on my Trezor, so it's important that it's very secure. 

1. I realize that private keys never leave the Trezor, however I assume a copy of my wallet is stored on Trezor servers, since I can recover my wallet if I lose my Trezor?
2. How is the recovery seed created on the Trezor, is the recovery seed programmed into the Trezor before it's shipped or is it completely random?
3. Is there some protection against 3rd party wallets (Electrum 2.0) that may be compromised.  I assume many wallets will support Trezor in the future.
4. When I connect my Trezor for the first time, setup my wallet and seed, transfer BTC to wallet, what exact information is stored with Satoshi Labs servers?

Thank you.

Thanks.

If it did, trezor would be useless as a paper wallet would be safer.

So you spend your paper wallet by computing ECDSA signatures in your head ;-).

Everything around TREZOR is opensource and auditable. Private key never leaves the device. All random numbers are generated from mixed entropy from HRNG and computer's randomness. Builds are deterministic. Firmware update need to be confirmed by user and firmware fingerprint is validated by bootloader. There's no WIFI/bluetooth on board (you can buy two trezors and open one of them to check yourself).

We've put ~two years of designing and developing this stuff with top security in our mind. I really don't think that people will find some vulnerability after few minutes of thinking, which we did not considered already :-).

Paper wallets can be stolen and they have no passwords.
Memory sticks can be destroyed in a fire or lost/stolen.
You still need to sweep the private keys for every spend.

This is what is advantageous about Trezor. The masses need such a device if bitcoin is going to become big.

Trezor could be compromised if cameras watch you typing the seed?

From what I can find from wading through some of the code, it looks like its random functions are at least cryptographically secure.

you have backup of your seed on the paper as well. You can use any BIP32 compatible wallet to import the seed and recover your funds.

Electrum is currently in beta http://www.reddit.com/r/TREZOR/comments/2jp9uk/tutorial_install_electrum_20_beta_with_trezor/ , soon you will be able to use Trezor with Multibit HD, Armory and GreenAddress.

Basically there is no way, how you can loose your coins using Trezor.

If the Trezor goes, you have the seed that can be imported into another wallet.

This 100%.  Paper wallets and offline usb is the way I go. If the usb corrupts or fails I still have the paper.  If the trezor fails, then what?

Please read the docs first http://doc.satoshilabs.com/trezor-user/securityphilosophy.html . Do not you think, if there will be any wi-fi integrated in the hardware someone will already find out? Do not you think if there will be some security issue, people like Andreas Antonopolous will be even bothered to mention Trezor device as a secure solution http://www.reddit.com/r/Bitcoin/comments/2mz3q3/new_identity_of_andreas_m_antonopoulos_secure_and/

Yes, paper wallets are safe, but you still need to load private keys from paper using a trusted computer to send your coins to somebody else. Also if you do not understand, how change adresses work, you are most likely to loose your coins.

A paper backup is a quite safe method to protect bitcoins, but you still need to load private keys from paper using a trusted computer to send your coins to somebody else - please see the docs - http://doc.satoshilabs.com/trezor-faq/differences.html

Boy wouldn't it suck to find out one day that the Trezor devices were simply using wifi to transmit the information on them?

There are so many suspicious infommerical-sounding posts for the Trezor all over the internet right now, I really wonder how many are legit.

In my opinion, you have to be a complete idiot to trust your money to any electronic device, provided by any 3rd party, for any reason whatsoever right now.

Paper wallets all the way.

-B-

It has already been answered on the first page

I will send Slush link to this thread, he may answer you...

AFAIK, the Trezor has a hardware random device so the random numbers it produces should be good.  Just in case, it also adds random numbers from the computer on first initialization.

But if you really want to, you can enter your own seed generated from dice rolls. It must conform to bip39 (12/18/24 words, part of the last word is a checksum).  The spec is out, but I'm not sure if someone implemented a tool that converts dice rolls into a bip39 mnenomic sequence. If you go this way, you need to trust the computer where you compute the sequence. 

You should never enter the 12/18/24 word sequence directly into a computer.  If you restore the Trezor from backup it will ask for the words in a random order (on its own display), so even if the javascript code or the local computer is compromised, it will not know the order of the words.  Of course, knowing which words occur in the sequence drastically reduces the security of the sequence.

Firmware updates have to be sent manually to the trezor using a special procedure involving pressing both buttons while connecting the trezor to the computer.  So even if the firmware keys are compromised, an attacker has to convince you to make a firmware update.  So if you check the social networks for announcements before doing a firmware update you should be fine.  Another problem may be an unknown bug (0day exploit) in the current firmware.  Still an attacker needs to compromise first your computer or the mytrezor domain or the client you use to access the Trezor and second the Trezor firmware.

The biggest part of the problem was becoming familiar with compiling software and installing it on the operating systems that were involved:  Ubuntu 14.04 and Windows 7.  Initially, I just focused on Ubuntu.  I started out running it in a VMware virtual machine (free version) that ran under Window 7, but this was interfering with the performance of other things I use the machine for, so I spend $300 and put together an Atom based Intel NUC system with 120 GB SSD and 8 GB of RAM.  I installed Ubuntu 14.04 LTS on this machine.  Initially I was using a spare keyboard and mouse and VGA display, but after I got the system running OK and set up SSH I have managed the system headless using PUTTY from my Windows 7 machine.

I went to the Electrum web site and then to Github and found the instructions for installing Electrum Server, which involve building it from source. This was pretty straightforward, just involved tracing down some dependencies.  I am no Linux expert, so a certain amount of Googling was needed to interpret error messages and figure out how to do things, such as increasing the number of open files.  The first part of the directions was to build a bitcoin node from source on this machine.  After I got this working, and installed on the system and it seemed to be working OK, I moved on to the electrum server and got it to work with electrum clients on one of my other machines (the release version, not the Trezor version. At this point I was running a couple of PUTTY terminal windows.  The last thing to do on this box was to rig it so that bitcoind and Electrum server started up automatically at boot. The machine runs unattended and draws almost no power (less than 15 watts) and sits behind a  UPS, so it does not glitch with my frequent power interruptions.  The Electrum Server is not very robust and if the system is shut down without waiting for the Electrum server to finish processing, the database can be corrupted and this can take hours to recover, so don't do this.

The next step was to get an Electrum 2.0 client running.  I did this first under an Ubuntu virtual machine on my Windows system. The directions are at the Electrum git-hub site. Again, some tracing down dependencies and loading them with apt-get.  At this point the next step was to get the Trezor running.  This requires installation of appropriate routines to allow Python programs to access the Trezor via the USB. This is the Python Trezor code, also available from Github. It includes a "hello world" test program to verify that a Python program can talk to the Trezor.  I ran into one obscure problem getting this to work. I had to find the utility to see what was going on on the (virtual) USB, bypassing the "Cython" wrapper that connected Python to the C code that talked to the USB. I thought something was seriously broken, but then I discovered that everything worked fine so long as I was running as root.  Once I set up the USB protections so the account used for the my normal login was permitted to access the Trezor (both read and write) then everything was fine.  At this point it was just a matter of starting with no wallets in the .electrum directory and Electrum 2.0 prompted me for the rest and my Trezor based wallet showed up.

I ran this way for a month.  Eventually, I got bored and curious and figured out how to get Electrum 2.0 to run under Windows 7.  This involved installing Python, Python-Qt and a development environment for C code.  This was another learning experience on my part, but it was all possible by downloading free software.  I got waylaid for a few hours until I realized that the free C compiler I had used was only 32 bits, and so I had to redownload and reinstall the appropriate versions of Python and Python-Qt.

For someone with more skill that I had, all of this would be an easy process.  The longest time required was the time for the initial download and block sync of bitcoind and the downloading of the electrum server database and initial sync of the electrum server.   If all you want to do is use Trezor via Electrum, none of this server work is needed, but then you will have to trust the electrum servers, which means you had better not be paranoid.

I deliberately picked a low end Intel Nuc (1.4 GHz single core) for a server machine  to see if it would be fast enough. It takes less than 10 percent of CPU time for bitcoind to keep up with the network, even where 1 MB blocks are back to back.  I can't say as much for the Electrum Server.  The CPU seems to be saturated and uses about 30-40 percent of the CPU on this slow machine for large blocks.  This seems unnecessary, as I understand it, but I don't know enough about Python to know how to profile the software and speed it up.  (I'm sure that this can be done, because running an Electrum Server doesn't involve verifying transactions in the block chain, which is the time consuming part of bitcoin processing.  The server is just doing database processing which ought to be lightening fast with 8 GB of RAM and an SSD.)

I would not recommend doing this if you aren't already an expert or (as in my case) you "enjoy" learning experiences. :-)

https://github.com/spesmilo/electrum-server
https://github.com/spesmilo/electrum
https://github.com//trezor/python-trezor

Then it is not trustless.

Have you written up how you set this up? It would be nice to see some docs about how to do this.

Trezor private keys are stored in Trezor, so everything is ok 

I would trust an offline wallet more than any centralized service.
To be 100% sure about the randomness of your private key, use a coin and flip it 160 times. Google for a "how to generate a private bitcoin key with a coin"

The Trezor device has access to your private keys. Therefore, it is correct to assume that if the device is compromised, you could lose the BTC stored on it.

Can the device be compromised? For instance, can the attacker convince it to run software supplied by the attacker?

From time to time, the firmware on the device has to be updated. The update is downloaded from the site of the producer and signed with several (3? Don't recall any more) secret keys of the developers. The signatures are checked with the public keys of the developers, which are stored in the firmware of the device. Can this process be subverted?

If the PC downloading the new firmware is compromised, the malware on it can modify the new firmware - but it would invalidate the signatures. Therefore, a different approach is needed.

One possibility is if the signing (secret) keys of the developers are compromised - either by a disgruntled employee, or because they go rogue, or because the company is hacked. Such things have happened in the past. However, several keys would have to be compromised (and the breach not noticed); just one would not be enough. While not impossible, I consider this highly unlikely.

There is another approach, however - one that exploits not cryptography but human nature. We call is "social engineering" but it's basically lying and manipulation. Suppose that the malware on the compromised PC intercepts all communications to and from the company server and changes the firmware update page. It puts a HUGE warning that the company's keys have been compromised, there are new ones and the new firmware is signed with them, so trust us and ignore any warnings from the device - with screen shots of what to do and everything. (The same thing can be achieved by hacking the company's site - but that would be noticed and fixed fast enough.)

While many people will realize that something is fishy, many more would not. And a successful scam doesn't have to work on everybody - it only needs to work on enough people to be profitable.

He said one of the most, not the most. Paper wallets are more secure (depending on how they are generated), but they serve a different purpose and are usually used for storage only and have to be swept into another wallet in order to make payments.

The trezor is the safest way to store coins and have them available to spend all the time. I'm going to the Isle of Man in June and I'm not taking my desktop pc with me, in this case it's the safest way to store coins and be able to make payments from any pc.

You can change the seed, but not to something you can choose yourself, it is automatically generated.

Trezor software is open source. Anyone can audit the code and if he thinks there is a security issue, you can voice out.

Trezor is standalone so as far as I know no server
Assume offline generation as well so no server to transfer the stolen data from.
Plus Slush pools still running 

can you enter you own seed made from dice rolls or coin flips?

can you even simply generate a new seed?

The seed is most likely unique to the device, So the hacker would need your seed and physical access to your Trezor

I don't agree, paper wallet or offline computer wallet is more secure and free

I don't think this answers the question. You get a "seed" that you can use to restore your wallet in the event that you need to replace your trezor. What happens if whatever server that is storing the connection between the seed and the private keys get compromised?

I run a Trezor off a bitcoin node that runs in my house.  The Trezor talks to an electrum 2.0 beta client and the electrum 2.0 beta client talks to an electrum server which talks to the bitcoin node.  The electrum server and the bitcoin node are physically in my home office.

It all works.  It's very fast. It's easy to use. The Trezor is presently connected via USB to a Windows 7 workstation and the Electrum server and  bitcoin node are running on a small Linux machine that I had lying around.

I highly doubt any of the Trezors come in contact with an online machine or server while in production. If they were to store the private keys on their servers it would go against the whole point of the Trezor device.

This is why we need Maidsafe. Servers are deprecated and only create trouble.

Having not seen a Trezor hack doesn't mean it's not possible.

Absolute security is relying on NO ONE else to give you your private keys.

Trezor is one of the most secures ways to have your bitcoins stored.

The private keys of your trezor never go out from it, and you can always check in its screen the transaction parameters to see if they are correct or not.

I have not seen yet any trezor hack.

you should understand how trezor works

trezor private keys are stored in trezor ,and they never go out from it

so trezor server does not matter to hack your bitcoins

The keys for signing transactions are stored on the trezor, not on an online server. The mytrezor page is only a software interface to access the device and the web never sees any actual private keys, only already signed transactions.

So you don't even need to ask, it's already answered

http://lmgtfy.com/?q=What+happens+if+the+SatoshiLabs+servers+are+hacked+and+the+firmware+signing+key+is+stolen&l=1

Then why not ask naming the security method/methods?

Like if they will answer as it should be . they will be like every Client support you have ever seen nothing bad will happen it's highly protected etc ... then BOOOM ! R.I.P
not trying to make anyone in Panic here , I'am just saying
I don't even know how Hardware wallets connect to the servers & stuff anyway

Why not try mailing them and asking them directly?

We need to be sure here. We don't want this to be the next Gox or Stamp.

I doubt it's stored in plain text.

Are we not putting too much trust into a company here? What if their signing keys get compromised?