Trezor devices have serious security vulnerability - #CryptoTrading

...even after yesterdays security update of the firmware.
Blog
     · [cryptocurrency-wallets]  · Author: KarlVonBahnhof

Just yesterday, Trezor released a security update. It updated your firmware to version 1.5.2 as older versions of firmware could make your seedphrase visible to someone who’d steal the device, took it apart and flashed it with a hacked-up firmware.

Here is the official story from Satoshi Labs:

It is important to note that this is not a remote execution attack. To exploit this issue, an attacker would need physical access to a disassembled TREZOR device with uncovered electronics. It is impossible to do this without destroying the plastic case.

In order to exploit this issue, an attacker would have to break into the device, destroying the case in the process. They would also need to flash the device with a specially-crafted firmware. If your device is intact, your seed is safe, and you should update your firmware to 1.5.2 as soon as possible.

With firmware 1.5.2, this attack vector is eliminated and your device is safe.

As it happens, the unofficial version is a lot worse:

The frantic patch creation we see now, before any coins have been lost (apparently), is because the issue was talked about at DEF CON 25. All Trezors, regardless of the firmware, use a chip that is vulnerable. According to the author of the article linked above, the chip will always be vulnerable in some way and Trezors are not safe unless all devices are replaced with ones that use safer chips.


Furthermore:

Trezor so far greatly downplays the importance of this hack. There is no long-term access needed to copy all your secret information from Trezor using this hack, it can be done just in 15 seconds. If your Trezor is stolen, you don’t even have time to transfer you funds to a new address. Government authorities can access all your Bitcoins and other crypto currencies without even asking for your consent. If you are crossing an international border, TSA can easily check your balances, etc. IRL, Trezor is as safe as leaving your cash or wallet on the table. On top of all that, your Trezor can be restored to its original state or replaced with identical Trezor with the same configuration, you wouldn’t even notice any difference until it is too late.

The exploit surely now can be done in 15 seconds at the airport since the source code for it is public.

The key to performing this hack is simply connecting two pins inside the Trezor device at the right time, even paperclip is suitable for this.

Only a simple version of this hack requires the disassembly of Trezor. A more advanced version also exists. No disassembly is required!

The author linked a satoshibox file with an exploit for the new firmware (1.5.2) but the link is broken.

What can you do?

  • Turn on password protection. Passwords in Trezor create a 25th word of a seedphrase. Trezor claims password protection makes the devices safe against this exploit, it is for researchers now to prove or disprove that.

  • Keep your Trezor in a vault, don’t have it on you when you cross borders. You could have done better with a paper wallet though, or simply with a seedphrase note, couldn’t you?

  • Build your own cold storage solution. Back in the day, people used to use a spare clean computer with Armory or Electrum. BitcoinArmory is maintained again but Electrum is the wallet that gets forked to support your altcoin of the month. When you have doubts as to whether to trust a wallet software, like many people had with Bitcoin Cash wallet Electron, you can always install it on a virtual machine.



Posted in Cryptocurrency wallets
Tagged as  

 

Last added to Crypto Airdrops, Bounties & Opportunities
Airdropped Token or Opportunity Airdrop Date About the airdrop Link
Twelve New LATOKEN Airdrops Live There are currently twelve new token airdrops on the LATOKEN exchange (DigiByte, Coinway, Payzus, Bitfxt ...). All of them are live now and end between 29 Oct and 4 Nov. If you sign up with the link here you get 50 USD fee credit. sign up
ByBit Signup Bonus 10 USD + MORE! (no KYC) Until Oct 31, 2020 ByBit is a trading platform that offers perpetual swaps of large cap cryptos without KYC (Be mindful of risks and legal implications). In October 2020, you get 10 USD worth of BTC sign up bonus - you need to sign up and deposit at least 0.02 BTC. There are more bonuses waiting in the Rewards Hub after you sign up. sign up
Bitrefill Birthday Contest Until Oct 26, 2020 Bitrefill turns 6 years old on October 26th and will hold a contest for Best Bitrefill Story, with a 100 USD award in Bitrefill Balance. Follow @bitrefill on Twitter to get the announcement first. use bitrefill via bitfinex
Staking without KYC on WhiteBit New! WhiteBit opened 17 different staking plans with 9 different currencies to choose from. 40% APR, available to the users without KYC. (Be mindful of risks) sign up
🌶️Chiliz Twitter Giveaway Pool of $2,500 in $CHZ Now! Chiliz is promoting the downloads of their new app with a draw of 10 winners by 250 USD in $CHZ tokens. tweet with info
Opportunity: Trade DeFi Tokens with NO FEES 14 days after signup The token exchange WhiteBit gives you 14 days of zero-fee trading if you sign up with a shill link. No KYC until 2 BTC/day withdrawal limit, lots of new DeFi projects get listed there. sign up
YoBit Get Free 1700 Dollars After signup YoBit is having a token giveaway. Sign up at YoBit and click the link "Get free 1700 dollars" in the top bar. This will take you to a Telegram bot where you can sign up to participate in the giveaway. sign up