Bitcoin Forum

Kraken Security Labs has devised a way to extract seeds from both cryptocurrency hardware wallets offered from industry leader Trezor, the Trezor One and Trezor Model T.

The attack requires just 15 minutes of physical access to the device. This is the first time that the detailed steps for a current attack against these devices has been disclosed.

Twitter Post: https://twitter.com/krakenfx/status/1223253508956266496
Source: https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets
Trezor response to the attack: https://blog.trezor.io/our-response-to-the-read-protection-downgrade-attack-28d23f8949c6

---

Btw I'm a ledger user and never had trezor HW yet.

Note: Don't ever let anyone have touch/physical access any of your hardware wallets. Keep it safe always.

Well these kind of attacks were always going to be possible. For example, anybody who has access to your hardware wallet could simply install a device that records your PIN and transmits it wirelessly, or install cameras in the room or pressure-sensitive film over the buttons to register your presses and record the PIN.

They're still going to be a step up over simply storing your private key or seed phrase on a paper wallet.

Wait, what?  From Trezor's response, this has been known about since October of last year (although they apparently just responded now).

Anyway, I'm ignorant as far as technical details go but this stood out to me:

So that tells me that it isn't always possible to hack the Trezor if someone has possession of it.  Someone please correct me if I've interpreted that incorrectly.

This is still very interesting to me, as I've often wondered how easy it would be for someone to get access to a hardware device's private keys.  Till now I had no clue, and I'd assumed that it would have been impossible--oops!  I've never used a Trezor, but now I'm curious as to what it would take to hack a Ledger or any of the other hardware wallets on the market.

You are correct. This attack is not possible if you use a passphrase.

From Satoshi Labs:

From Kraken:

Isn't the passphrase just an additional word added to the seed phrase? If so, surely they could just retrieve the 24 word seed phrase, and then brute force the 25th word via a dictionary attack?

Doesn't really seem to be that much additional security, or is there something I'm missing?

It is used in combination with the recovery seed to access a single hidden wallet and can be any length you want. You can also create as many hidden wallets as you want with multiple different passphrases. Technically speaking, yes you could attempt to brute force a passphrase for a single hidden wallet with the recovery seed taken from the chip, but this would be extremely difficult unless it is a very basic passphrase. Any incorrect passphrase is still going to generate a wallet, but with no funds. Using a passphrase that could be easily brute forced would defeat the purpose of using a passphrase to begin with unless you are creating decoy wallets. A random 12 character alphanumeric passphrase would cost $128 billion on average to crack today. Passphrases will weaken over time, so choose strong ones, or transfer funds to another hidden wallet with stronger passphrase if existing is too weak.

Brute forcing a long and complicated password would take years. Your password should never consist of easy to guess dictionary words. I am not sure how reliable this source is https://www.betterbuys.com/estimating-password-cracking-times/.

But they say that a 10 character password would take 4 months to brute force.
An 11 character password 10 years, and a 12 character one would take 200 years.

I like the part where you can test the strength of passwords on site. Just don't enter passwords you use in real life. But an interesting feature to play with. 

Where have you seen that?  ??? Did you read the report of the exploit and watch the video? https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets
You need to fully disassemble the ledger and extract the chipset, the case sealing has to be broken.
In practice only an electronic engineer in a laboratory with the necessary equipment is able to conduct this attack. So I wouldn't be surprised if the leak came from a competitor in fact ::) The exploit is highly technical and sophisticated.

In his official press release, Trezor said this is very likely a similar vulnerability Ledger Donjon Team discovered last year and I post about this in this topic Trezor&Keepkey - Unfixable Seed Extraction - A practical and reliable attack! (https://bitcointalk.org/index.php?topic=5180137.0).

As you can see, there is no fix for this problem in such a way that it can be repaired with the new firmware. The only sure solution is to use a passphrase - " Donjon Team suggest that this passphrase should be about 37 characters long to prevent dictionary and brute-force attacks."

Given that passphrase is not stored in a hardware wallet, it will protect you even in the event of a physical attack when the attacker extracts seed from a hardware wallet.

The Ledger team released details of probably the same attack in July of last year. Certainly the attack they performed has the same outcome - if someone has physical access to your device they can extract the seed. See Lucius' link above. I own a Trezor device, but have since reset it, don't store any coins on it, and haven't used it at all, since a few weeks after that release. I was concerned about the attack, and I was also concerned about Trezor's response, which was essentially "Meh, use a passphrase", and didn't state in any way how they were going to address the issue (and they still haven't).

So the attack is always possible regardless of whether or not you use a passphrase. An attacker using this method will always be able to extract your 24 word seed. The different is whether or not your coins are also secured by a passphrase. If they aren't, then once an attacker has your seed they can steal your coins. If they are, then once an attacker has your seed they can try to brute force your passphrase, and then steal your coins.

Quite the opposite. The Ledger release above shows the attack was possible using a single board with components costing less than $100, using only "basic electronics techniques". Not only is this attack potentially easily reproducible, but someone could also manufacture and sell those boards.

For a passphrase to be as secure as a 24 word seed phrase, which is the security level you have to reach if you want your wallet to be as secure as if this attack didn't exist, then it needs to be 37 random characters. Given that only a minority of users even use a passphrase, and of those who do, a very small minority of them will use a passphrase of 37 random characters, Trezor's response to this attack is wholly unsatisfactory. Since most passphrases in use are probably human generated, then like passwords, they will be short, not random, and bruteforcible.

This was discussed before here:
https://bitcointalk.org/index.php?topic=5146284.0 (https://bitcointalk.org/index.php?topic=5146284.0)

Dave's view: Neither of the big 2 hardware wallet makers are that great against a determined foe. There are ways of mitigating the risk, but they are human dependent (long passphrase, keep it secure, etc.)

I am partial to the coldcard, but even then I know it is not perfect.

But, as stated before and by other posters in this thread 37 character passphrases are a joke.

100% personal opinion and nothing more: I trust NOTHING that comes from  SatoshiLabs / Slush and never will. I used to when I was "young and learning about bitcoin and crypto" but now that I know better. Nope. He / that team do just enough to get the job done and no problems are ever their fault.

-Dave

I don’t know what is the benefit of republishing this news, everyone knows that physical access to any device will expose you to danger and that the use of easy-to-guess passwords makes you vulnerable to hacking. Perhaps the platform is trying to gain media.

Everyone should remember that there is no wallet completely safe and there is nothing against hacking, your use of more than one wallet, strong passwords, distrust of any third party, follow-up news will spare you all of these hacks.

So because Ledger, their main competitor is saying that (without any proof) (https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/) it's necessarily true?
You have read the Kraken report and watched their video? You really think it's easily reproducible by anyone? There are certainly more chances to destroy the chip by doing all those manipulations than to succeed for the average handyman IMO.
And the equipment they used doesn't cost only 100$...

Again you are quoting the Ledger claims... but you said exactly the opposite 3 days ago for just 2048⁴ combinations...  :-\
The passphrase is UTF8 encoded, 37 random characters gives 1 million³⁷ combinations...

Ledger disclosed the attack to Trezor. Trezor's response was essentially "You need physical access and mitigated by a passphrase". If Ledger had lied and completely made it up, would Trezor not just have said that? It would be pretty irresponsible of Ledger to release the actual set up they used.

All I said in that previous thread was that there was more work to be done than simply trying different seed phrases which would slow down the bruteforce attempt, and 10 billion combinations a second is too high a number. I never said a bruteforce attempt would be impossible. Assuming an attacker also knows your addresses (because otherwise why would they be targeting you), then with this attack you can also skip the blockchain look-up step.

2048^4 is 44 bits of entropy. This is brute-forcible. The average human generated password has entropy of around 40.5 bits (https://www.microsoft.com/en-us/research/wp-content/uploads/2006/11/www2007.pdf). Again, this is brute-forcible. My point above is that if you are assuming your seed can be accessed, but you want to maintain the same level of security, then you need a very long and random passphrase, which almost nobody will be using.

Other people did, It's out there if you look.
Now this next little bit REALLY makes it look like I shilling for Coinkite / Coldcard but a blurb from their marketing:


So if they can do it why can't others?

They also have the self destruct pin option and the sign with SD card so it's always airgaped option.

I would say it's not that difficult, but I am sure it is. But if they can do it other people can too. That is if they actually care enough to try.

On another note they also have a nice document about PIN use and some thoughts about how / why it works the way it does:

https://raw.githubusercontent.com/Coldcard/firmware/master/docs/pin-entry.md (https://raw.githubusercontent.com/Coldcard/firmware/master/docs/pin-entry.md)

-Dave

It wasn't republished. Kraken did their own version of an attack done in hacking conferences, and thought that it might be a good, which it is, to remind everyone, again, to put a passphrase.


Put a passphrase.

Yeah I saw this article on my newsfeed the other day... and was like "Wasn't this already done and discussed?" ???

Seems that Kraken just reproduced what Ledger already did... and said what we already know:
If you use a Trezor, make sure you are using the passphrase feature!


Although, the "requiring physical access to the device" part makes this "attack" somewhat theoretical for most people... :P

Yes and no.
Where is your hardware wallet? Is it always attached to you? Or, is at home while you are at work?
Do you bring it with you on vacation or is it in a safe at home? etc.

It's a 15 minute attack, so if they know you have it they can probably get in and get it and get your seed (if your don't have a strong password) in less time then it takes to get dinner. Depending on who you ask a 8 character password is minutes.

-Dave

Assuming they lug some laboratory equipment with them while breaking into my secure apartment building... and they know precisely where my hardware wallet is stored... assuming, as you say, that they even know I have one in the first place! ::) ::)

That's why I said "somewhat theoretical"... Yes, it's possible... but is it really probable? ??? For me... the answer would be "No". I think it would be more likely that my wallet/phone would be stolen from my pocket/bag while I was out and about during the day... and I'm not terribly worried about that either.

While I will admit that it is a huge flaw in the design of the Trezor, this is not exactly a doomsday scenario that everyone seems to want to make it... Put on a "decent" passphrase (which isn't that difficult or annoying to use) and the entire thing essentially becomes a moot point anyway.

For anyone with enough coin stored on a Trezor to be worried about losing it... then simply switching to a Ledger or Coldcard or another hardware wallet shouldn't be a massive issue.

I wear my Trezor around my neck. No one can get physical access to it, except when I'm in the shower for 20 to 30 minutes.



More. Plus preparation for the physical attack, it would take around 30 minutes or more, not including brute-force attack on the passphrase.

If I did that I would find my self checking constantly if it is still there, if it didn't get caught into something and fell off.

---

I assume an attack like this is not possible on a Ledger device. Seems that only Trezor users without passphrases have reasons to worry.
I would be interested in finding out how hard security experts have tried to break Ledger wallets as well.

Well, it depends on your threat model, and how you use your Trezor. I use hardware wallets as a semi-cold wallet from my desktop computer, and they never leave my house or secure back up locations. I dont carry them around with me, and no one in real life other than my wife even knows they exists. So for me this attack is low risk, although I have still stopped using my Trezor and replaced it with another Ledger device.

But what about if you use your hardware wallet to secure a mobile wallet, for example? You carry it around constantly in your pocket or a bag, people see you using it, can maybe even track your addresses by watching you spend from it to a merchant's known address, and so on. Both the likelihood of being targeted and the possibility of this attack (or similar) both increase significantly.

Now, while passphrases are great, and everyone with a hardware wallet should be using them, the passphrase answer by Trezor is completely unsatisfactory. It does nothing to address the failure in their wallets. The majority of people don't use a passphrase, and the majority of those who do certainly aren't using a long and truly random one. They have done little to publicize this need to their users. Really, they should be releasing a patch which requires all users to set a passphrase of minimum x characters. If we assume someone has accessed your seed and the only thing protecting your coins is a passphrase, then what you have left is little better than a brain wallet.

What if someone swapped it for another Trezor device? How long would it be before you plugged it in and realized it had been switched?

Then I'm very confident that it would take the hacker a very long time to brute force my passphrase. I will surely find out that the device was switched well before he can guess it. It won't be close.

Which is still not a lot of time so 30 minutes to get and attack it and however long to get your PW. Unless its over 10 characters is still in the low hours with powerful enough HW.

Remember this is a somewhat targeted attack. I have to know beforehand that

1) You have / use BTC
and
2) You use a trezor

So yeah, if you never take it off except to shower that is one thing. If you are like most people and leave it someplace (even what you think is secure) for a little longer then you might become a victim. Unless you have a secure password.

-Dave

Oh, I was speaking more in generalities rather than at you directly. Apologies for not being more clear. I was suggesting that I'm sure there are an awful lot of people out there who are more careless, and might not notice that their hardware wallet had been swapped or even notice if it was missing altogether for an extended period of time. A very clever attacker, after opening your device and extracting your seed, could even restore your seed to a brand new device and return that new device to wherever you are storing your Trezor. You (not you personally :P) would be none the wiser.

An attacker doesn't need to have physical access to your device to brute force the passphrase once they have extracted your seed, though.

I own a Ledger Nano S. Am I at risk too?

I've carried my Nano S in many places before knowing it could become physically exploited at any time.

Since I found out, I'm extra careful. I just thought I could carry it around and if I lose it - who cares? I got my seed, right? This is how it's been marketed around.

It looks like that's not the case. I haven't used a passphrase before on my Ledger due to the fear of forgetting it. Had a similar experience (https://bitcointalk.org/index.php?topic=5220941.msg53763687#msg53763687) before and it sucks, I want to avoid a 2nd disaster.

I've read the article and, from what I understood, this passphrase is being combined with the seed, hence it is a completely different thing when compared to the PIN of the HW. Right? Passphrase is linked to the seed, PIN is linked to the HW.

If so, then I suppose the seed is extracted from the device by bruteforcing the PIN and then accessing the seed. Knowing the PIN is pretty short and numeric-only, AFAIK it's pretty easy to be bruteforced (although physical introduction of a false PIN 3x leads to the autoreset of a Ledger).

If that is the case and I'm not mistaken, wouldn't this problem be solved on both Trezor and Ledger by changing the HW PIN with an alphanumeric password? It would be pretty damn annoying to have to go through +35 characters by using just 2 physical buttons (speaking about Nano S), but I'd do it if that's what it takes to protect the theft of my seed.

There is not an equivalent attack known about at present for Ledger devices. With enough time and money, any hardware wallet is potentially breakable though, for example by examining the secure element with an electron microscope.

Correct. PIN is only used to unlock your device. It is irrelevant to restoring your wallet from the seed phrase. If you set a passphrase, you will be unable to recover the wallets behind it without both seed phrase and passphrase.

This attack does not involve bruteforcing the PIN, so any modifications to the PIN would be irrelevant.

Then it's still not a practical attack. Plus there's an option for "the owner" to secure his Bitcoins with different passphrases, with each going to a different hidden wallet. 8)

If you are not known to have a lot of coin, you will probably not be the subject of this kind of attack. If you have a trezor in a desk drawer, and your house is burglarized, the burglars will probably ignore your trezor if they come across it. If you keep your trezor in a safe, and the safe fairly well hidden (under a carpet or rug, or behind a picture), chances are an attacker will not be able to physically access your trezor.

I believe the 15 minute timeframe is also predicated on the trezor user using a 4 digit PIN. If a longer PIN is used, it will take longer to execute this attack.

This attack makes the attacker destroy the trezor, so if a passphrase is used, the trezor owner could discover the compromise, and move his coin via a backup, or an emergency pre-signed transaction that he broadcasts before the passphrase can be brute forced.

This attack does not require expensive equipment, but the equipment required to execute the attack is fairly specialized. An attacker would need to have specialized technical skills to execute this attack. These technical skills are very valuable in the job market, and attacker would need to risk his ability to leverage these skills in the job market to even try to pull off this kind of attack.

Unfortunately, it is very difficult to protect information that is frequently accessed from attacks involving physical access to a device. 

The Ledger report states that even a 9 digit PIN was brute forcible within a few minutes.

This is true, but there are plenty of people who store a secondary hardware device off-site as a backup, and might only check on it once a week, once a month, or even less frequently. If an attacker was to access one of those, they could potentially have several months to try brute forcing a passphrase (assuming they have used one).

5 randomly chosen words from a very thick dictionary should be more than enough. (almost 91 bits of entropy if it's a dictionary with 300k entries)

Which report are you referring to? There was a disclosure (https://www.ledger.com/our-shared-security-responsibly-disclosing-competitor-vulnerabilities/) in March 2019 by ledger that confirmed that a side channel attack allowing an attacker to discover the PIN was patched. I also don't see anything about a 9 digit PIN in that disclosure.

This is true for any off-site backup. Using a trezor is still going to be more secure than using a paper wallet, or an encrypted file on a hard drive or USB stick because specialized equipment and technical skills are necessary to perform this kind of attack. These technical skills are worth north of 6 figures on the job market per year, and the ability of an attacker to get hired and utilize these skills would be diminished if caught breaking and entering somewhere to steal a trezor.

Unlike an encrypted file, the end user can use multiple passphrases, and can use an easier to crack passphrase with a smaller amount of coin. This would mean an attacker would need to find the coin, and decide if he wants to continue expanding resources to gain access to additional coin that may or may not exist. The attacker would also need to decide if he wants to spend the coin he find immediately, possibly tipping off the victim that his trezor has been compromised, or wait to try to find another passphrase with more coin, and risk the victim will discover the compromise and move his coin. 

Probably, but the point I was making was that if this attack is successful, then you are entirely relying on your passphrase to protect your coins. 91 bits of entropy, although probably enough, is a tiny amount when compared to the usual 256 bits of entropy of a seed. If you want your passphrase to be as secure as your seed, then it needs to be impractically long and random.

I was meaning this one: https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/. Specifically:

Looking back through this thread and the other discussions about the vulnerability of some of the wallets there seem to be 3 things that keep coming around.

1) It's not that bad because of "xxx" reason. xxx can be needs access to the hardware, needs specialized equipment, needs an unreasonable amount of time.

2) It can be mitigated because of "yyy" reason. yyy can be long pin, long passphrase, there is no way to get to my device.

3) It can't happen to me because of "zzz" reason. zzz is my device never is unattended, my device is in a ultra secure location, etc.


The problem is this:
You could be holding a significant amount of money on one of these devices and they claim they are secure.
Then they make all these * notes about things you have to do to make it secure. Long pins, long passphrases, etc.

Which is great for us here reading these threads.

But, what about Bob? Alice told him to get a hardware wallet to keep things secure and he did. And he followed the setup instructions that did not mention the stupid long passphrase and 12 digit pin. And he even keeps it updated and occasionally reads the read me file with the new firmware.

But it's still not being being posted on the hardware makers site in 40 point red font telling people about it.

I even told my favorite hardware wallet maker they should do this (and they failed).

So, yeah it's an issue now and going to continue to be one.

-Dave

small edit of a line because what I had in my brain did not make it properly to my keyboard.

Couldn't agree more.

The whole point of hardware wallets are that they are marketed as a simple and easy way to store your keys. They are often recommended to newbies on that exact premise. They are inferior to proper airgapped wallets, but much easier to set up and use. As soon as you start adding all these xxx, yyy, zzz caveats, they become less simple therefore less safe. Not only that, but Trezor make no mention of this attack whatsoever on their "Getting started" or "Basic features" manual/support page. Passphrases are mentioned exactly once on these pages here - https://wiki.trezor.io/User_manual:Setting_up_the_Trezor_device - where all they say is Trezor Manager can be used to set up a passphrase. You have to delve pretty deep in to the "Advanced settings" before they start recommending that you should use a passphrase, but still make absolutely no mention of this attack.

They can't just sweep an attack which has the potential for users to lose all the coins they own under the rug like this. Whenever this attack is discussed publicly their response is "It's not an issue because everyone should be using a long and random passphrase", but at no point in their set-up guide do they even mention passphrases exist, let alone that all users should be using one or risky losing everything.

There should be a big warning on their website and on their set-up guide stating "Yes, this attack exists, all future models will have different hardware to mitigate it, and all current users should be using passphrases".

Well, they could certainly do more to inform their users about this, especially considering how much money some people are storing on their hardware wallets. When I first got my Trezor several years ago I had also been under an impression that a pin-protected Trezor is secure against all attacks, over the years it seems the narrative has changed.

How about ANYTHING to inform their users.
E-mail to known owners.
Notifications on the home page.
Popups on the access pages.
Having a sticky thread here.

Something obvious, not what they do now which is make people dig for it.

-Dave
Note: This is most wallet makers not just Trezor

I don't think trezor is responsible for what other people tell their users.

To be fair to trezor, they do have a security (https://trezor.io/security/) page that discloses past security issues. Although this one does not appear on that page.

There was this statement that trezor published in their FAQ in 2016:

I think this answer is still technically true, but may be misleading in light of the disclosure referenced in the OP. There are other answers in trezor's FAQ page that imply that coin is safe if an attacker steals a person's trezor.

I believe the lack of notifications by trezor has to do with the common threat models of trezor customers, described (https://blog.trezor.io/our-response-to-the-read-protection-downgrade-attack-28d23f8949c6) in trezor's response to the disclosure in the OP. Trezor referenced a binance security survey conducted in 2018 that says only about 6% of crypto users are concerned with 'physical attacks'.

At the end of the day, the security of my coin is my responsibility. If representations were made to me that were correct based on the person's knowledge at the time, I don't think I would have a valid basis to complain if a new technique or new technology later made that representation to be untrue. 

My assumption is if a trezor is vulnerable to a specific attack, every other HW wallet is vulnerable to a similar attack, even if they have not been publicized.

Out of all possible alternatives, I would still consider a HW wallet to be superior to all other mediums to store private keys. 

Some possibly, some possibly not.
The issue is for me and for other people I have spoken with is that this OP issue still exists and they have done nothing about it (nor can they) but they still don't have the warnings front and center on their website / in the instructions.

-Dave

Their response says they believe only about 6% of crypto users are concerned with physical attacks. This might not be enough of their user base to put such a prominent display on their website. 

I dont agree with that logic at all. I'm not concerned about physical attacks on my hardware wallets - I dont take them out and about with me, and they are stored in very secure locations. I still wiped my Trezor after learning about this vulnerability. I'm also not very concerned about physical attacks on my laptop, but I still use full disk encryption on it, and would absolutely swap to different software to do this if I knew the software I was using was crackable in <15 minutes.

And what about those 6% of users who are concerned about physical attacks? Do they not deserve a warning simply because they are in the minority?

Trezor devices do not user secure elements like some other hardware wallets do. There is no evidence to suggest that this attack would also be successful against a secure element.

More secure than an encrypted wallet on a permanently airgapped device?

Depends if you're only considering "security" when deciding which is the "superior" solution.

I would say it all comes down to your own personal use case... how "secure" a HW might be compared to such a setup is debatable... given physical access to an airgapped device, it would probably be theoretically possible to access the private keys, even from an encrypted wallet... but yes of course a (properly) airgapped machine offers a decent level of security.

However the HW wallet will "win" if you need portability... I travel often, so this is important to me. Then there is the "ease of setup and/or use" factor. All the hardware wallets I have have taken me less than 15 minutes to setup from opening the package. Price could also be another factor ($60 for a Nano S vs. ??? for a 2nd computer+webcams etc if you're going the QR code route).

All things considered, for me personally, I'd agree that a hardware wallet is still the "best" solution for storing my private keys... it offers levels of security and convenience that I'm happy with.

As with everything else in this world, YMMV. ;)

Both your laptop, and your trezor are secured by the same thing, that is a password. An attacker with physical access to your devices would need specialized equipment, and technical skills, plus your password (passphrase) to gain access to your trezor, but would only need your password to gain access to your computer.


Yes. An airgapped device and a trezor need the same password to access any coin the respective device is holding. The airgapped computer will stay in a decrypted state for longer than a trezor when you are signing a transaction with either device. If you have an airgapped computer, an attacker with physical access to the device does not need any specialized equipment to start making attempts of guessing the password.

Taking into account not just security but ease of use, user-friendliness, functionality, etc., for an average user (who likely has poor security practices), a hardware wallet (Trezor wallets included) is probably the safest place to store private keys.

@HCP and malevolent

I agree, and this is kind of the point I made a few posts back. Hardware wallets are marketed as simple to use, user friendly, etc. These devices are often recommended to newbies or other less technical users who would be unable to safely set up and use an airgapped machine or paper wallets. These are exactly the users who are most likely to be unfamiliar with passphrases and therefore not using them. It is deeply irresponsible of Trezor to not directly warn these users.

You are correct, but only provided the hardware wallet is also using a passphrase. The majority of users do not use a passphrase, making a Trezor significantly less secure than an encrypted airgapped wallet.

Fair enough. But this also assumes a person using an encrypted airgapped wallet isn't using a very simple password, such as 'password1' or 'dog' even if they spell it backwards. I would argue that many people also use very simple encryption passwords out of convenience because of the frequency they need to decrypt their machine. 

Yeah, agreed.

I use whole disk encryption on all my devices. The decryption key for my laptop which I use day-to-day for emails, work, etc. but not for my crypto wallets is around 100 bits of entropy, because as you say I have to enter it probably 5-10 times a day. The decryption key for my airgapped device which I store my cold wallets on is just short of 300 bits of entropy, because I wanted it to be at least as secure as a 24 word seed phrase. I only have to enter this maybe once a month, if that.

I know that I'm an outlier here though. I also know from experience in my workplace that people are horrendous when it comes to password security. Same password for everything, names of their spouse, family members, or pets (or even their own name!), passwords written down in their notebooks, even passwords written on the underside of keyboards. I would be hopeful that if someone is technical enough to be using whole disk encryption they are also smart enough to be using long random passwords, though.

I wonder if it is even technically possible for Trezor to enforce passphrases by default in their wallet? The passphrase functionality is currently "hidden" in the advanced settings once you get the wallet setup and I believe it actually sets a flag within the device so that the web interface asks for a passphrase during wallet unlocking.

So, theoretically, during the onboarding process, the web interface could simply set this flag and basically "demand" that the user set a passphrase... at which point, we'd most likely get users using substandard passphrases anyway... or thinking that they can simply "reset" the passphrase at some point like a computer password and end up forgetting it etc ::) :-\

I can understand the commercial reasons why Trezor are not that keen to "advertise" the flaw... after all, it's supposed to be a secure device... and saying "There is a massive hole in our security, but just use a long random password and you're all good" kind of negates that proposition and would scare off potential users (aka customers).

Meanwhile, more tech savvy users are savaging them on forums/twitter/reddit etc for this exact reason.

Certainly a reputational juggling act that I'm glad I don't have to attempt to perform!

It's a fair point, but look at the flipside. First Ledger and then Kraken were able to pull off this attack. It's only a matter of time before someone malicious figures it out, if they haven't already, meaning it's only a matter of time before someone losses their coins to this vulnerability. All it will take is one major theft with the news that Trezor knew about the vulnerability and didn't warn the user in question to completely ruin their reputation.

I also don't envy their position, but I think the responsible thing to do would be to clearly state the vulnerability and the requirement for a passphrase, whilst stating that they are working on new hardware which will mitigate the attack.

It really comes down to balancing security vs convenience. it is also a balance of security vs being able to memorize your password. If you have a complex password full of entropy, that is great and all, but it kinda defeats the point if you can't decrypt it because you forgot your passphrase.
In many companies, writing passwords down as you describe would be a 'clean desk' violation. Many companies also utilize some kind of Single Sign On technology that allows employees to use a single username/password combination across (nearly) all services requiring authentication; in these cases, all the applications are run by the same company, so the risk of 'one' password leaking is not the same as it in normally, and companies usually keep track of unsuccessful login attempts, and will lock accounts upon a small number of attempts. Using a weak password to a service or application is bad, but not the same as having a weak encryption key.

---

Back on topic....if your device holding coin is subject to a physical attack, I would suggest you consider it to be eventually compromised. If this is part of your threat model, you should create countermeasures that involve you discovering, or being notified of the physical attack quickly, and use other countermeasures that delays the time from the physical compromise to the compromise of the keys.

It bears repeating that a trezor allows you to have multiple passphrases, so you can have a simple of moderately complex passphrase securing a low to moderate amount of coin. If any attacker physically steals your trezor, and can discover your simple passphrase, they need to make a decision if they want to continue looking for an additional passphrase, and if they want to spend the coin they have discovered. You can monitor the coin being secured by the simple passphrase, and if this coin moves, you can move the coin being secured via a more complex passphrase.  

No, it is not. They could enable it by default, or prevent it from being disabled. None of this would prevent someone from using a blank passphrase, or a very simple one such as zzzz

Completely agree. Even when using a hardware wallet which does not have this vulnerability, or an encrypted cold wallet, no setup should be assumed to be 100% safe. It should be seen as a method to buy you varying lengths of time to secure your coins before they can be stolen. Just as if my laptop was stolen, despite its whole disk encryption, I would still revoke its permissions and change all my passwords, if my hardware or cold wallets were stolen, I'd be using back ups to move all the coins within.

I do use multiple passphrases, but I'm not a fan of solely relying on this method. I no longer use any Trezor devices, but if someone was to steal one, it would likely be a targeted attack because I had been sloppy with address reuse or similar and exposed some holdings, so they would know exactly how much bitcoin they were looking for. Further, physically stealing the wallet would be the hard part of the attack, and continually trying to brute force a passphrase relatively easy, so I suspect they might continue until they find what they are looking for. All my wallets are in locations where I would personally discover they are missing or be informed as such by trusted third parties with a maximum of 24 hours.