Weekly E-mails:  Crypto Trading Strategy 5 Weeks of Onboarding Reads. Latest Airdrops (Thu 7 AM EST). Or all of it.

Dismiss   Pick Your Preference
This site uses cookies (More).

 

Trezor devices have serious security vulnerability - #CryptoTrading

...even after yesterdays security update of the firmware.
Blog
  .  Published  · By KarlVonBahnhof

Just yesterday, Trezor released a security update. It updated your firmware to version 1.5.2 as older versions of firmware could make your seedphrase visible to someone who’d steal the device, took it apart and flashed it with a hacked-up firmware.

Here is the official story from Satoshi Labs:

It is important to note that this is not a remote execution attack. To exploit this issue, an attacker would need physical access to a disassembled TREZOR device with uncovered electronics. It is impossible to do this without destroying the plastic case.

In order to exploit this issue, an attacker would have to break into the device, destroying the case in the process. They would also need to flash the device with a specially-crafted firmware. If your device is intact, your seed is safe, and you should update your firmware to 1.5.2 as soon as possible.

With firmware 1.5.2, this attack vector is eliminated and your device is safe.

As it happens, the unofficial version is a lot worse:

The frantic patch creation we see now, before any coins have been lost (apparently), is because the issue was talked about at DEF CON 25. All Trezors, regardless of the firmware, use a chip that is vulnerable. According to the author of the article linked above, the chip will always be vulnerable in some way and Trezors are not safe unless all devices are replaced with ones that use safer chips.


Furthermore:

Trezor so far greatly downplays the importance of this hack. There is no long-term access needed to copy all your secret information from Trezor using this hack, it can be done just in 15 seconds. If your Trezor is stolen, you don’t even have time to transfer you funds to a new address. Government authorities can access all your Bitcoins and other crypto currencies without even asking for your consent. If you are crossing an international border, TSA can easily check your balances, etc. IRL, Trezor is as safe as leaving your cash or wallet on the table. On top of all that, your Trezor can be restored to its original state or replaced with identical Trezor with the same configuration, you wouldn’t even notice any difference until it is too late.

The exploit surely now can be done in 15 seconds at the airport since the source code for it is public.

The key to performing this hack is simply connecting two pins inside the Trezor device at the right time, even paperclip is suitable for this.

Only a simple version of this hack requires the disassembly of Trezor. A more advanced version also exists. No disassembly is required!

The author linked a satoshibox file with an exploit for the new firmware (1.5.2) but the link is broken.

What can you do?

  • Turn on password protection. Passwords in Trezor create a 25th word of a seedphrase. Trezor claims password protection makes the devices safe against this exploit, it is for researchers now to prove or disprove that.

  • Keep your Trezor in a vault, don’t have it on you when you cross borders. You could have done better with a paper wallet though, or simply with a seedphrase note, couldn’t you?

  • Build your own cold storage solution. Back in the day, people used to use a spare clean computer with Armory or Electrum. BitcoinArmory is maintained again but Electrum is the wallet that gets forked to support your altcoin of the month. When you have doubts as to whether to trust a wallet software, like many people had with Bitcoin Cash wallet Electron, you can always install it on a virtual machine.

About the author

Written by KarlVonBahnhof

KarlVonBahnhof also on Reddit, Chris belongs to the crypto trader class of 2013. Located in the Americas most of the time, you're most likely to meet at r/BitcoinMarkets though.

 

Last added to Crypto Airdrops, Bounties & Opportunities
Name Date How to access Official URL Additional Info
Cloudbet Turbo Thursday Reload Bonus Every Thursday between 05:00-23:59 UTC Make a deposit of 0.1 mBTC or more today, Cloudbet gives you a 100% Reload Bonus of up to 50 mBTC/1 BCH. Remember you must activate the bonus in your player dashboard before making a deposit for the bonus to be credited! The bonus is only available for the Casino, not the Sportsbook. details make acct
Bethereum Price Pool on VK October 2019 There are regular competitions with the total pool of prizes worth 40K Bether if you join the gaming platform's VK channel. details make acct
FanEspo Big Competition (ERC20) All the time Fanespo is launching a new promotion contest worth $500 in FAN tokens. Details will pop up on you when you sign up on site. Overall, the eSports platform FanEspo is giving away the total of $1.6 million of tokens in contests. You need to have a FanEspo account. details make acct
Atomars Opportunity Launch promo There is a new altcoin axchange launched that now offers zero-fee trading, and possibly thinner markets for the market makers around. details make acct
Keybase Stellar Lumens Drop 11 September 2019 & Onwards The Keybase team announced a surprise airdrop worth 21 USD in XLM to all account holders who ever installed the Keybase app. To get the Lumens, you need to sign in again and claim them - you should have received a bot message with instructions. Keybase has been funded by the Stellar Developer Foundation for years and so this collab is not a one-off. You can choose to keep participating in the Lumens airdrop by using Keybase, the total dollar worth each user can get is 500 USD. New accounts can still participate as long as they have a Github or HackerNews account created before 9 September 2019. more join
BlockWage Airdrops + Bounties Recurring Platform for freelancers marketplace. Airdrops randomly announced via Discord, there's also the possibility of Masternodes. join web
Vaultoro Token Launch Promo September 2019 The crypto-gold exchange Vaultoro has been around for years, getting attention in the 2015 bear market and tagging along through the subsequent bull run. They are now launching their own exchange token which you can get for free if you don't have an account yet. Every new sign up with basic ID verification gets 200 VAULT tokens. homepage make acct