Trezor devices have serious security vulnerability - #CryptoTrading

Published in Psa · Labeled as PSA ·

...even after any possible firmware update.

In August 2017, Trezor released a security update. It updated your firmware to version 1.5.2 as older versions of firmware could make your seedphrase visible to someone who’d steal the device, took it apart and flashed it with a hacked-up firmware.

Here is the official story from Satoshi Labs:

It is important to note that this is not a remote execution attack. To exploit this issue, an attacker would need physical access to a disassembled TREZOR device with uncovered electronics. It is impossible to do this without destroying the plastic case.

In order to exploit this issue, an attacker would have to break into the device, destroying the case in the process. They would also need to flash the device with a specially-crafted firmware. If your device is intact, your seed is safe, and you should update your firmware to 1.5.2 as soon as possible.

With firmware 1.5.2, this attack vector is eliminated and your device is safe.

As it happens, the unofficial version is a lot worse:

The frantic patch creation we see now, before any coins have been lost (apparently), is because the issue was talked about at DEF CON 25. All Trezors, regardless of the firmware, use a chip that is vulnerable. According to the author of the article linked above, the chip will always be vulnerable in some way and Trezors are not safe unless all devices are replaced with ones that use safer chips.


Furthermore:

Trezor so far greatly downplays the importance of this hack. There is no long-term access needed to copy all your secret information from Trezor using this hack, it can be done just in 15 seconds. If your Trezor is stolen, you don’t even have time to transfer you funds to a new address. Government authorities can access all your Bitcoins and other crypto currencies without even asking for your consent. If you are crossing an international border, TSA can easily check your balances, etc. IRL, Trezor is as safe as leaving your cash or wallet on the table. On top of all that, your Trezor can be restored to its original state or replaced with identical Trezor with the same configuration, you wouldn’t even notice any difference until it is too late.

The exploit surely now can be done in 15 seconds at the airport since the source code for it is public.

The key to performing this hack is simply connecting two pins inside the Trezor device at the right time, even paperclip is suitable for this.

Only a simple version of this hack requires the disassembly of Trezor. A more advanced version also exists. No disassembly is required!

The author linked a satoshibox file with an exploit for the new firmware (1.5.2) but the link is broken.

What can you do?

Extend your seed with a 25th word.

Passwords in Trezor create a 25th word of a seedphrase. Trezor claims password protection makes the devices safe against this exploit, it is for researchers now to prove or disprove that.

Don’t carry your Trezor on you when you cross borders.

It is the physical access that is dangerous.

Build your own cold storage solution.

Back in the day, people used to use a spare laptop with Armory or Electrum on it. Electrum is the better choice now, BitcoinArmory is only maintained sporadically.

Learn more about Electrum in the ATNET Glossary and links there from.

Category: Psa · Label: PSA · Author: Karlvonbahnhof (contact author)

 

Last added to Crypto Airdrops, Bounties & Opportunities
Airdropped Token or Opportunity Airdrop Date About the airdrop Link
Bitfinex KSM Staking Launched 25 Feb Bitfinex opened staking of Kusama tokens with expected staking rewards of ~8% p.a. To start staking KSM, deposit your tokens into your exchange wallet on Bitfinex, or buy the tokens on the exchange. First payout will arrive on 3rd March. sign up with fee discount
PheMex Twitter Bounty Live Phemex is a crypto derivatives platform (new and therefore not to be trusted too much) that is trying to fill the hole after BitMex. They do not require KYC for now, word of caution. PheMex is trying to build up their Twitter account and promise to give away the total of 1x 10k worth of BTC as well as loads of smaller prizes in gift cards and such, if you help them shill their Twitter handle. Phemex account is needed, sign up with code H7QPW to get welcome bonus. sign up with bonus and view the prizes
DOT and GRT trading fee discount (reliable exchange, easy KYC) Until 9 March Polkadot and The Graph trading has been enabled on the Aussie exchange Independent Reserve in fiat pairs with AUD, NZD, SGP and USD. (International deposits available, KYC individual). The trading fee is 0.1% flat for accounts without premium or volume discount for the first two weeks of trading. info
Pulse Network Reward Competition Until Mid March Pulse network is opening a competition where the most active social media shills get rewarded from a prize pool of 10k+ USD. Top 50 shills get at least 430 USD worth. info
BitFuFu Bounty Promo Until end of Feb BitFuFu is a cloud mining pool that gives a bounty to approved users for online promo. Bounty is paid out weekly in stablecoin. request entry
Blockchain Space Telegram Bounty Until June 2021 Blockchain Space runs a Telegram activity bounty. The most active users will be paid 50 USDT every 15 days. info
Armor Network Early Mining Opportunity For a few weeks now Armor Network is a fast, anonymous and untraceable cryptocurrency integrated into Telegram ecosystem. No ICO, no premine. Genesis block 21 Jan, mining rewards are still high. WARNING: Right now uses a Telegram wallet, so you don't own the private key. info
Bitfinex Global Grid Competition Until 21 Feb Bitfinex intermediate verified users can enter any of the 4 trading competitions and fight for prize pool of 50k USDt. More information in the banner at the top of the chart in Bitfinex trading interface. sign up
Zappermint bounty Weekly Zappermint is a token for monetization of game apps. They run a weekly social media bounty that must be reported and claimed via bitcointalk. thread
Opportunity: DeFi Tokens on reputable exchange with lower fees 14 days after listing The Aussie exchange Independent reserve is listing new DeFi tokens these days. For each of the new markets has the fee reduced to 0.1% for the first 2 weeks. Currently those markets are yearn.finance, Aave and Kyber Network Crystal. sign up
Earn YoBit's YoDefi tokens Live YoBit set up their own defi project for liquidity on the exchange. The exchange pays out 777 YoDefi Tokens proportionally for all users every 10 mins. sign up
Staking without KYC on WhiteBit New! WhiteBit opened 17 different staking plans with 9 different currencies to choose from. 40% APR, available to the users without KYC. (Be mindful of risks) sign up