Trezor devices have serious security vulnerability - #CryptoTrading

Published in Psa · Labeled as PSA ·

...even after any possible firmware update.

In August 2017, Trezor released a security update. It updated your firmware to version 1.5.2 as older versions of firmware could make your seedphrase visible to someone who’d steal the device, took it apart and flashed it with a hacked-up firmware.

Here is the official story from Satoshi Labs:

It is important to note that this is not a remote execution attack. To exploit this issue, an attacker would need physical access to a disassembled TREZOR device with uncovered electronics. It is impossible to do this without destroying the plastic case.

In order to exploit this issue, an attacker would have to break into the device, destroying the case in the process. They would also need to flash the device with a specially-crafted firmware. If your device is intact, your seed is safe, and you should update your firmware to 1.5.2 as soon as possible.

With firmware 1.5.2, this attack vector is eliminated and your device is safe.

As it happens, the unofficial version is a lot worse:

The frantic patch creation we see now, before any coins have been lost (apparently), is because the issue was talked about at DEF CON 25. All Trezors, regardless of the firmware, use a chip that is vulnerable. According to the author of the article linked above, the chip will always be vulnerable in some way and Trezors are not safe unless all devices are replaced with ones that use safer chips.


Furthermore:

Trezor so far greatly downplays the importance of this hack. There is no long-term access needed to copy all your secret information from Trezor using this hack, it can be done just in 15 seconds. If your Trezor is stolen, you don’t even have time to transfer you funds to a new address. Government authorities can access all your Bitcoins and other crypto currencies without even asking for your consent. If you are crossing an international border, TSA can easily check your balances, etc. IRL, Trezor is as safe as leaving your cash or wallet on the table. On top of all that, your Trezor can be restored to its original state or replaced with identical Trezor with the same configuration, you wouldn’t even notice any difference until it is too late.

The exploit surely now can be done in 15 seconds at the airport since the source code for it is public.

The key to performing this hack is simply connecting two pins inside the Trezor device at the right time, even paperclip is suitable for this.

Only a simple version of this hack requires the disassembly of Trezor. A more advanced version also exists. No disassembly is required!

The author linked a satoshibox file with an exploit for the new firmware (1.5.2) but the link is broken.

What can you do?

Extend your seed with a 25th word.

Passwords in Trezor create a 25th word of a seedphrase. Trezor claims password protection makes the devices safe against this exploit, it is for researchers now to prove or disprove that.

Don’t carry your Trezor on you when you cross borders.

It is the physical access that is dangerous.

Build your own cold storage solution.

Back in the day, people used to use a spare laptop with Armory or Electrum on it. Electrum is the better choice now, BitcoinArmory is only maintained sporadically.

Learn more about Electrum in the ATNET Glossary and links there from.

Category: Psa · Label: PSA · Author: Karlvonbahnhof (contact author)

 

Last added to Crypto Airdrops, Bounties & Opportunities
Airdropped Token or Opportunity Airdrop Date About the airdrop Link
BrillianceX giveaway Until 14 April Completing small social media tasks and buying BRILX IEO makes your entry for the sweepstake. 10 lucky winners to get 1000 BRILX each. get 50 USD fee credit on LATOKEN
Typerium giveaway on LATOKEN Until 15 April LATOKEN runs a TYPE airdrop draw. 7 lucky winners will get 30K TYPE each. get 50 USD fee credit on LATOKEN
Trade tokenized shares of Tesla, BioNTech and Paypal on FTX Open The FTX crypto derivative exchange, quickly gaining recognition and popularity, added tokenized trading of TSLA shares. Loads of other tokenized legacy assets already available. FTX does not require KYC until your total lifetime withdrawals reach 1000 USD. (More about FTX here). see the markets
Bridge Network Reddit bounty 31 Mar - 27 Apr 2021 Bridge oracle system a public oracle technology for TRON. They run 4 weeks of reddit bounty with 3400 BRG pool. The bounty rewards you for mentioning the project in crypto-related subreddits. BRG trades on KuCoin and rewards can be received into KuCoin BRG wallets. info on telegram
GoldCoin Bounty Now at week 5 Goldcoin is an scrypt coin that trades on a couple of DEX platforms. The team is running a content marketing bounty, paying out tokens for social media or blog content. The current topics and more details are posted in the Telegram channel. info on telegram
XXP Bounty (ERC-20) 5 weeks from 22 March XXP is an ERC-20 token that runs a social promo bounty. XXP trades at Hotbit for around 1 USD. There is a ~50k USD token pool that gets split across the channels: Twitter, Discord, Youtube, Reddit...You need to confirm your membership on bitcointalk. bitcointalk
Umbria Airdrop to token holders Next snapshot 15 April Umbria network will run an airdrop for token holders. Users who hold 100 UMBR and more will receive a portion of 33.4% of the 100,000 UMBR airdrop allocation relative to the total amount of tokens held by the community, on the 15th May. If you do not want to buy the token, Umbria team offers rewards for text and video content creation. It's not an organized bounty, get in touch with the team individually. details
PYR social media campaign March 14, 2021 for 6 Months till August 14 2021. PYR runs a long social media campaign. You need to engage in various social media channels without mentioning the bounty. Rules in the sign up form. form
Opportunity: Zero fees on DeFi tokens on Bitstamp Until end of May 2021 You can now trade ZRX, MKR, KNC, DAI and GUSD at Bitstamp. Aa a bonus this DeFi-focused batch of cryptocurrencies comes with zero trading fees until the end of May. If you have an old Bitstamp account laying about, might be worth a shot to trade or arbitrage there for a few weeks now. Bitstamp
Blockchain Space Telegram Bounty Until June 2021 Blockchain Space runs a Telegram activity bounty. The most active users will be paid 50 USDT every 15 days. info