[ESHOP launched] Trezor: Bitcoin hardware wallet

[klokan]

Hm... What if someone get holds of your Trezor without your knowledge, installs malicious firmware that saves your passphrase, returns it to you, then steals it again after you have used it, and downloads the pasphrase?  Or whaterver?

The storage area is erased when you upload unofficial firmware.

So the easiest way to get to the seed is to load satoshilabs signed seed-recovery-firmware, right? ;-)

[JorgeStolfi]

Opening a Trezor will break the casing, as far as I know. Even if you glue it back together it would look broken (and thus suspicious).

Criminals can replace photos on passports and forge dollar bills.  Surely can re-seal a plastic case so that it looks pristine.

They can also flash an  eprom or replace a rom
So I prefer to be able to update my firmware, as I have a brain and will not click on yes or not read the addresses on screen.

Good for you, but the "net fishing" class of criminals will be quite happy if even if only 5 of 100 people who got their Trezors with malicious firmware click "yes" and then enter their PIN.   They will not target you; they will aim for your grandmother and your 13-year-old cousin.

If you can steal a Trezor, mod it, send it to your target, and restole it, you can also decide to torture him if his trezor is unbrokable, so in this case, maybe it's better to be tricked by Trezor  

The fake Trezor (or the malicious firmware, signed or unsigned)  can be programmed to select from a small set of private keys that were pre-generated by the thief, instead of random ones.  Therefore, the criminal does not need to steal the fake Trezor back.  He does not even have to know the victims or in which country they reside.  He has only to place the fake/reprogrammed Trezors in the market stream somehow, and then watch the blockchain until some of those precomputed addresses receive enough bitcoins.

[slush]

Good for you, but the "net fishing" class of criminals will be quite happy if even if only 5 of 100 people who got their Trezors with malicious firmware click "yes" and then enter their PIN.   They will not target you; they will aim for your grandmother and your 13-year-old cousin.

Actually it is still many degrees easier to target to tens of thousands people who simply don't care and use some webwallet. Attacking users who don't use any protection simply has better effort/reward ratio.

To perform advanced attacks like you described, you need to:
1) Get signed malicious software (highly unlikely considering security standards which we've chosen, because we're aware of this risk).
2) Distribute such software to end users and convince users to update.
3) Infect their computers to actually use that malicious firmware

In oposite, to hack into ANY OTHER wallet, you need
1) keylogger

Actually much likely hack to Trezor owner is to kidnap his wife. But if *this* is the only concern, then Trezor moves bitcoin security standard to completely another level considering current (pre-Trezor) epoch.

[JorgeStolfi]

And with fake Trezor in the equation, you can't solve the issue by hardware changes (but maybe some checks process can do the job)

Hey, it was just free advice. 

But: the point is that relatively few criminals can physically forge or modify a Trezor, whereas any teenager could buy a real Trezor and preload it with malicious unsigned firmware that he got from his hacker buddy.  So, even if the second variant has a low probability of success (owners who ignore the warning), it may be the bigger risk in absolute numbers.

[cor]

And with fake Trezor in the equation, you can't solve the issue by hardware changes (but maybe some checks process can do the job)

Hey, it was just free advice. 

But: the point is that relatively few criminals can physically forge or modify a Trezor, whereas any teenager could buy a real Trezor and preload it with malicious unsigned firmware that he got from his hacker buddy.  So, even if the second variant has a low probability of success (owners who ignore the warning), it may be the bigger risk in absolute numbers.

There was some Kaspersky Lab research - they've recorded over 8.000.000 attempts of a wallet-stealing malware in 2013.
Important thing to consider in the final numbers is that Kaspersky only has around 3-5% of the antivirus software  marketshare.
Count that ratio in and what you get may be the bigger risk in absolute numbers.

Source:
https://securelist.com/analysis/kaspersky-security-bulletin/59414/financial-cyber-threats-in-2013-part-2-malware/#24

[JorgeStolfi]

There was some Kaspersky Lab research - they've recorded over 8.000.000 attempts of a wallet-stealing malware in 2013.
Important thing to consider in the final numbers is that Kaspersky only has around 3-5% of the antivirus software  marketshare.
Count that ratio in and what you get may be the bigger risk in absolute numbers.

Source:
https://securelist.com/analysis/kaspersky-security-bulletin/59414/financial-cyber-threats-in-2013-part-2-malware/#24

Interesting number!

I could not find the total number of KL users (to translate that into percentage of hosts that are infected),  do you have this number?

As I said twice before, keeping your keys in a Trezor surely must be safer than keeping them in your PC or smartphone (or in an unencrypted text file in your Dropbox folder).

And "what I tell you three times is true". 

[kkurtmann]

back-end for myTREZOR, this bits of proof apparently is now owned by one of the worlds worst hardware manufacturers cointerra?

[JorgeStolfi]

back-end for myTREZOR, this bits of proof apparently is now owned by one of the worlds worst hardware manufacturers cointerra?

You mean Cointerra is the manufacturer of the Trezor electronics?

[kkurtmann]

good god lets hope not.  no that is not what I said at all. read it again

[JorgeStolfi]

good god lets hope not.  no that is not what I said at all. read it again

Sorry, I did not understand.  You meant myTrezor the supporting app/website? What "proof"?

[Kuma]

Sorry, I did not understand.  You meant myTrezor the supporting app/website? What "proof"?

"Bits of Proof " is company who made the myTrezor backend (the web wallet).

[AussieHash]

http://www.coindesk.com/cointerra-acquires-bitcoin-software-developer-bits-proof/

[JorgeStolfi]

Sorry, I did not understand.  You meant myTrezor the supporting app/website? What "proof"?

"Bits of Proof " is company who made the myTrezor backend (the web wallet).

Thanks!

[bitkilo]

Good to see this is the news again, for someone who's not so tech-savy like myself i cant wait to get 1. Can anyone tell me the release date for these?

[stick]

"Bits of Proof " is company who made the myTrezor backend (the web wallet).

That's not true. myTREZOR webwallet was done by us. The thing done by BoP was the backend which myTREZOR connects to and asks for transaction history.

[cor]

Good to see this is the news again, for someone who's not so tech-savy like myself i cant wait to get 1. Can anyone tell me the release date for these?

eshop should be ready by the end of this week

[lemonte]

Good to see this is the news again, for someone who's not so tech-savy like myself i cant wait to get 1. Can anyone tell me the release date for these?

eshop should be ready by the end of this week

Is there going to be an affiliate system for anyone wanting to try and resell?
Thanks

[cor]

back-end for myTREZOR, this bits of proof apparently is now owned by one of the worlds worst hardware manufacturers cointerra?

You mean Cointerra is the manufacturer of the Trezor electronics?

We have no association with Cointerra.

TREZOR as well as TREZOR Web Wallet and its backend is our product (the backend delivered to us upon a contract of works with Bits of Proof)

myTREZOR Web Wallet is using BOP Bitcoin Server
https://bitsofproof.com/?page_id=826


The coindesk post might sound a little misleading but that happens in communication.
I hope they will at least correct the link to myTREZOR

[cor]

Good to see this is the news again, for someone who's not so tech-savy like myself i cant wait to get 1. Can anyone tell me the release date for these?

eshop should be ready by the end of this week

Is there going to be an affiliate system for anyone wanting to try and resell?
Thanks

yes
subscribe to our newsletter please and we'll let you know

[Mitchell]

I am going to ask this question, before more people do (and thus saving you the trouble):
Any idea what the price will be? I don't need a specific number, a range would be sufficient.

I know that this has been asked many times, over and over again, but you should have an estimate if you are going to open a webshop that sells them