[ESHOP launched] Trezor: Bitcoin hardware wallet

[Mirdude]

Seems interesting, will be adding this to my wishlist.

[1714147861]

1714147861

[1714147861]

1714147861

[1714147861]

1714147861

[stick]

But there's a "session_clear()" function which clears the PIN, cached root node and cached passphrase. There's also an accompanying protocol message to invoke it. Maybe it's the wallets responsibility to clear the session via this message.

Correct. Since firmware 1.2.1 there is a message called ClearSession that forces TREZOR to "forget" cached PIN and passphrase. The idea is that client sends this message after few minutes of user inactivity or when a screensaver kicks in or when a screen is locked.

[klokan]

Is this just as secure as a paper wallet? I should imagine it isn't because it requires you the manufacturer to actually have access to the private keys?

The keys are generated using entropy from the trezor plus entropy from the computer you plug into.  There's no way for the manufacturer to know your keys.

Well, if the manufacturer of a hardware wanted to get the client's keys, they could do it very easily.  
If you use a special-purpose hardware to store your keys, you have to trust the manufacturer.  I see no way around it.

The hardware can be checked and the software is open source.

Checking the hardware is viable only with sophisticated lab equipment.  To check the software, someone whould have to carefully check the source code (at every release) for malicious backdoors or weaknesses, and then the client would have to check that the compiled firmware that he is loading, duly signed by the manufacturer,  matches that source code.  Obviously neither is viable in practice, except after the fact.

Back to the original question:
"Is this just as secure as a paper wallet?" No. It cannot be. However it's much more useful, because from this wallet you can actually spend. It's also very easy to use. Creating a really secure paper wallet is difficult. Setting up and using Trezor is easy.

"requires you the manufacturer to actually have access to the private keys" This statement is dead wrong. In many services out there, the main premise is that end user cannot keep his private keys secure, thus he should keep it with some online service that will take care of security. This creates just another issue for the user, because he now has to keep his service credentials secure and he has to trust the service provider so he is in even more difficult situation. Trezor is different. It lets you own your private keys without manufacturer knowing anything about you. In theory, Satoshi Labs can recover your seed from the device if the device is still working and they have physical access to it. But that is only if you are not using passphrases and give them the device and they actually want to recover your seed.

Without the physical access to the hardware, there is only a single way manufacturer could get your keys: backdoor. There is a catch though. If your bitcoins are stolen by a malware or a hacker, then you are just screwed. If your btc is stolen by an open software, open hardware backdoored device, then you can sue somebody. I assume their liability for a software bug is at the zero level. Their liability for a money stealing backdoors is a complete different story. That is fraud and you can sue it everywhere in the world.

Also, your statement that checking the software is not viable in practice is wrong. They use deterministic build so everybody can check that the software is what it is supposed to be. Also, the software is single purpose, thus small, thus verifiable for backdoors.

[klokan]

Got my Trezor today.

I have successfully set up the multi-passphrase encryption structure.

It appears that every time that I access the Trezor, I have an opportunity to create a new hidden volume.  Out of curiosity, is there a limit to the number of volumes?  If I reach the limit, how will the Trezor behave when a new volume is attempted to be made.

My real question is about the no-passphrase entry.  I tried it, and it appears that I have no access to anything when a passphrase is not entered.  I recall reading somewhere about different behavior based on whether a passphrase box is checked.  Does anyone have any clarity on pitfalls to watch out for?

Overall, I'm very impressed with the Trezor!

There is no limit for the number of "hidden volumes". Trezor does not keep their list. It just can recover all those account addresses  when you enter that particular passphrase again. I don't understand the "no-passphrase entry" question. Can you please rephrase it? You have two options for setup: You either create 1. passphrase protected Trezor or 2. Trezor without passphrases. In the latter, you will never be prompted for passphrases. What does "no access to anything when a passphrase is not entered" mean? You are able to store your BTC on Trezor in second setup (without passphrases) as well.

[dnaleor]

just a small post to let you know my USB cable died today. I tried a different one and my Trezor is still ok.

(thanks for replying to our e-mail. We will reply in a few days)

[JorgeStolfi]

Checking the hardware is viable only with sophisticated lab equipment.  To check the software, someone whould have to carefully check the source code (at every release) for malicious backdoors or weaknesses, and then the client would have to check that the compiled firmware that he is loading, duly signed by the manufacturer,  matches that source code.  Obviously neither is viable in practice, except after the fact.

The hardware can be checked by feeding it known inputs and checking that the output matches what's expected.

It is easier to find the private key of a bitcoin address by trial and error than to check all possible inputs of such a device.  (Translation, just to avoid misunderstandings: it is totally inviable.)

Their build process is deterministic, so you can in fact check that the signed binary matches the open source code. It is also not true that every individual has to check the code every time there is a release, it can be done on an ongoing basis by a community of semi-trusted individuals.

Each client will have to download and install a copy of the firmware at every update, so each client would  have to check that his copy matches the copy that the community has verified by compiling the source code.   That can be done by comparing the hashes of the firmware only; but how will the client get the correct hash to compare to, and how will he compute the hash of the downloaded copy, on an untrusted machine (which is the assumption that justifies using a Trezor)?

You're really reaching, aren't you? What's your angle here exactly?

I am merely  pointing out a fact that should be obvious to anyone who really tries to evaluate the security of the system.

Just because something is "bitcoin" it does not mean that it is perfect.  While trusting a Trezor is certainly better than trusting a  random PC or smartphone, clients still must trust the manufacturers (their honesty, and their zeal in keeping intruders off the manufacturing and shipping process).

[blossbloss]

Got my Trezor today.

I have successfully set up the multi-passphrase encryption structure.

It appears that every time that I access the Trezor, I have an opportunity to create a new hidden volume.  Out of curiosity, is there a limit to the number of volumes?  If I reach the limit, how will the Trezor behave when a new volume is attempted to be made.

My real question is about the no-passphrase entry.  I tried it, and it appears that I have no access to anything when a passphrase is not entered.  I recall reading somewhere about different behavior based on whether a passphrase box is checked.  Does anyone have any clarity on pitfalls to watch out for?

Overall, I'm very impressed with the Trezor!

There is no limit for the number of "hidden volumes". Trezor does not keep their list. It just can recover all those account addresses  when you enter that particular passphrase again. I don't understand the "no-passphrase entry" question. Can you please rephrase it? You have two options for setup: You either create 1. passphrase protected Trezor or 2. Trezor without passphrases. In the latter, you will never be prompted for passphrases. What does "no access to anything when a passphrase is not entered" mean? You are able to store your BTC on Trezor in second setup (without passphrases) as well.

When I plug in my Trezor, I always get the password prompt.  If I hit the "x" in the upper right corner to close the popup window without hitting "Enter", then it appears to give me no access to anything.  I have also noticed when I do not enter a password, and press "Enter", it appears to give me a new volume to work with.  So I assume that I have three volumes on my Trezor.  The first one is with my serious password.  The second one is to protect from the $5 wrench.  And the third one is a null password.

Am I understanding this right?

Thanks

[shadallion]

What is the guarantee that myTREZOR.com will always be around for me to be abel to spend/receive bitcoins using the Trezor?

In 30 years, will that website still be around? 

[dnaleor]

I just realized I had very bad security practices involving the trezor:

I use it with electrum (don't do this yet, it's not for the faint of heart, wait for electrum release 2.0).

I just leave my wallet (electrum) open with the trezor plugged in. That's a bad idea.

For some reason I assumed the PIN would be asked every time. But it seems the trezor will remember passphrase and pin auth, so anybody could walk up to my computer and make a transaction without knowing password or PIN.

So note to self: always unplug the trezor when done, especially when having entered the PIN.

Suggestion/question: could the trezor have a timeout on the PIN and re-ask after it has elapsed? Same for passphrase.

yes, I noticed the same behaviour.

Maybe no timeout for passphrase (doesn't make sense... You opened a certain wallet with a certain passphrase to use it... Using can also mean using the receiving addresses)
Time out for pin seems a good idea. The idea behind the pin is the prevention of stealing coins by people who gain acces to the trezor. The purpose of the passphrase is to prevent stealing when people have acces to the seed.

[JorgeStolfi]

"requires you the manufacturer to actually have access to the private keys" This statement is dead wrong.

Indeed, and that is why I never wrote that.

A malicious manufacturer can distribute firmware that, instead of using truly random seeds,  chooses seeds from a very small set.  Then the manufacturer can  generate the private keys for all those seeds and find the one that matches the client's blockchain address.

This attack can be performed by the manufacturers, or by any individual or gang who can get hold of 3 of the 5 firmware signing keys.  Or by someone  who can plant the weakness in the firmware before it gets signed.  Or by anyone who can replace the Trezor by a counterfeit one during shipment to the client.  Or any shop that sells Trezors to walk-in clients.

I can think of a few other variants on this attack.  Surely criminals can think of dozens more.

Without the physical access to the hardware, there is only a single way manufacturer could get your keys: backdoor. There is a catch though. If your bitcoins are stolen by a malware or a hacker, then you are just screwed. If your btc is stolen by an open software, open hardware backdoored device, then you can sue somebody. [ ... ] Their liability for a money stealing backdoors [ is ] fraud and you can sue it everywhere in the world.

If the manufacturers do steal your coins, in order to accuse them of deliberate theft you will have to prove, first, that the the source address of the fatal transaction was under your control at the time, and that the destination address was not.   Perhaps you can do that with witnesses, or internet access logs, but it seems quite hard.  (But,ok, that is a problem of bitcoin itself, not of Trezor.)  Then you have to prove that you did not leak the recovery key words inadvertently.  And then you have to prove that the destination address is under their control. 

I assume their liability for a software bug is at the zero level.

On the contrary, a client who loses the coins that he kept in a Trezor may be able to sue the manufacturers for misleading advertising, even if they are innocent and the theft did not involve them directly.  (I haven't seen the Trezor warranty; I hope that they got the help of some smart lawyers, and thoroughly protected themselves from that risk.)  Of course the client would still face the problem of proving that the theft really occurred, as above.

Also, your statement that checking the software is not viable in practice is wrong. They use deterministic build so everybody can check that the software is what it is supposed to be. Also, the software is single purpose, thus small, thus verifiable for backdoors.

As or checking the software, see my previous reply to another post.  As for it being single-purpose hence simple, I have seen several posts here requesting all sorts of features and support for things other than bitcoin.  I bet that the full source will soon have hundreds of thousands of lines of code.  (The Brazilian electronic voting machine, which does not even connect to the internet, has over a million lines of C/C++ source code, not counting the operating system.)

[bitpop]

What is the guarantee that myTREZOR.com will always be around for me to be abel to spend/receive bitcoins using the Trezor?

In 30 years, will that website still be around? 

Many more wallets will support it. It's not proprietary.

[kkurtmann]

Got my Trezor today.

I have successfully set up the multi-passphrase encryption structure.

It appears that every time that I access the Trezor, I have an opportunity to create a new hidden volume.  Out of curiosity, is there a limit to the number of volumes?  If I reach the limit, how will the Trezor behave when a new volume is attempted to be made.

My real question is about the no-passphrase entry.  I tried it, and it appears that I have no access to anything when a passphrase is not entered.  I recall reading somewhere about different behavior based on whether a passphrase box is checked.  Does anyone have any clarity on pitfalls to watch out for?

Overall, I'm very impressed with the Trezor!

There is no limit for the number of "hidden volumes". Trezor does not keep their list. It just can recover all those account addresses  when you enter that particular passphrase again. I don't understand the "no-passphrase entry" question. Can you please rephrase it? You have two options for setup: You either create 1. passphrase protected Trezor or 2. Trezor without passphrases. In the latter, you will never be prompted for passphrases. What does "no access to anything when a passphrase is not entered" mean? You are able to store your BTC on Trezor in second setup (without passphrases) as well.

When I plug in my Trezor, I always get the password prompt.  If I hit the "x" in the upper right corner to close the popup window without hitting "Enter", then it appears to give me no access to anything.  I have also noticed when I do not enter a password, and press "Enter", it appears to give me a new volume to work with.  So I assume that I have three volumes on my Trezor.  The first one is with my serious password.  The second one is to protect from the $5 wrench.  And the third one is a null password.

Am I understanding this right?

Thanks

yes.
it will only show the trezor label you gave it by closing the passphrase dialogue, but you can access any of your hidden volumes by clicking the add account then entering what ever passphrase you want to use.

[gweedo]

I would like to return my trezor and get a refund of my 3 BTCs how can I do this? Obviously they aren't going to fix the mytrezor web wallet and I want my money back.

Edit: Talked to my lawyer about this, and he said there should be no reason that a refund should be an issue. I would also like to use escrow to make sure they don't stiff me.

[Anon136]

What is the guarantee that myTREZOR.com will always be around for me to be abel to spend/receive bitcoins using the Trezor?

In 30 years, will that website still be around? 

Presumably its all open source just incase right? Worst case scenario, If its gone in 30 years than just copy that source code to your own server and make your own mytrezor.com.

[Deafboy]

What is the guarantee that myTREZOR.com will always be around for me to be abel to spend/receive bitcoins using the Trezor?

In 30 years, will that website still be around? 

Trezor support for electrum is already present (it's just not stable yet). You can already try it

I would like to return my trezor and get a refund of my 3 BTCs how can I do this? Obviously they aren't going to fix the mytrezor web wallet and I want my money back.

Edit: Talked to my lawyer about this, and he said there should be no reason that a refund should be an issue. I would also like to use escrow to make sure they don't stiff me.

What problems do you have on your mind? I'm only aware of small inconveniences. Nothing that would prevent me from using it.
If you have the metallic one, I bet many people would be glad to buy it from you. Obviously not for 3 BTC though.

[gweedo]

I would like to return my trezor and get a refund of my 3 BTCs how can I do this? Obviously they aren't going to fix the mytrezor web wallet and I want my money back.

Edit: Talked to my lawyer about this, and he said there should be no reason that a refund should be an issue. I would also like to use escrow to make sure they don't stiff me.

What problems do you have on your mind? I'm only aware of small inconveniences. Nothing that would prevent me from using it.
If you have the metallic one, I bet many people would be glad to buy it from you. Obviously not for 3 BTC though.

Small inconveniences? I paid 3 BTCs for a device that should work with mytrezor, it doesn't, that is a major inconvenience as my coins are trapped in it.

Then the support was extremely rude, when I was being extremely helpful by even showing them my public master key, which is something I don't really want to do, since that broke my privacy.

The co-founder posted under my trust rating a vulgar word, when I left a negative trust review of my current issue on his.

I really don't want to be around people like that, and I don't want to support them either, so a refund is the only thing that I think will make this extremely unsatisfied customer happy. As I have already warned a number of people, and received many pms that they will not be purchasing a trezor and will be waiting for other implements as they were horrified at what took place for me.

[AussieHash]

Don't kid yourself gweedo, you are an asshole

[klokan]

I would like to return my trezor and get a refund of my 3 BTCs how can I do this? Obviously they aren't going to fix the mytrezor web wallet and I want my money back.

Edit: Talked to my lawyer about this, and he said there should be no reason that a refund should be an issue. I would also like to use escrow to make sure they don't stiff me.

The guy who paid 10000BTC for the pizza back in the day would like to refund as well.  If that guy would be refunded, he would probably get 10USD back (provided he will return the pizza). BTC is deflation currency and the refunds don't work with those. Your lawyer should learn some basic rules of economy.

You can still get refunded though, because there are people willing to pay the amount of money you paid for this one. BTC was worth 80-120USD during the preorder period. I would pay you 330USD for it myself.

[molecular]

What is the guarantee that myTREZOR.com will always be around for me to be abel to spend/receive bitcoins using the Trezor?

In 30 years, will that website still be around? 

If push comes to shove, you can host your own: https://github.com/trezor/webwallet

Might be hard to replicate the backend, though (but I think it's opensource).

Another solution would be to use other wallets. Electrum and Armory will likely have trezor support soon.

Also, there's a library to access the trezor: https://github.com/trezor/python-trezor and there are also other ways to use your seed and get to your money. There are standards for the format and such (bi0032, bip0039, bip0044).

You're in no way dependant on myTrezor.com and I think it's not unlikely it will be gone in 2044, your trezor still alive and kicking

[klokan]

A malicious manufacturer can distribute firmware that, instead of using truly random seeds,  chooses seeds from a very small set.

This would be visible in the firmware source.

This attack can be performed by the manufacturers, or by any individual or gang who can get hold of 3 of the 5 firmware signing keys.  Or by someone  who can plant the weakness in the firmware before it gets signed.  Or by anyone who can replace the Trezor by a counterfeit one during shipment to the client.  Or any shop that sells Trezors to walk-in clients.

With deterministic build, everybody can check the firmware. That does not mean that everybody HAS to. If 3 of 5 decided to sign something malicious, then the rest of the guys would be whistle-blowing and everybody would know. End even if all of them signed it, then anybody verifying the firmware would have to have this weakness implanted in his code as well to see the same fingerprint of the deterministic build. Such a weakness thus needs to be in the open source code, thus visible by anybody. Not everybody has to check it. If just one person checks it and reports it, then everybody will know.

If your Trezor is replaced in the shipment, then anything can happen. But that is the case with all computer parts out there. Raspbery pis that people use with armory or for generating paper wallets can be replaced as well. So this is no worse than your paper wallet.

If the manufacturers do steal your coins, in order to accuse them of deliberate theft you will have to prove, first, that the the source address of the fatal transaction was under your control at the time, and that the destination address was not.   Perhaps you can do that with witnesses, or internet access logs, but it seems quite hard.  (But,ok, that is a problem of bitcoin itself, not of Trezor.)  Then you have to prove that you did not leak the recovery key words inadvertently.  And then you have to prove that the destination address is under their control.  

I was not talking about proving that this is their address. I was talking about proving that there is a backdoor. As I argued above, if there is one, you should be able to find it in the open-source code. It should be easy to prove.

As or checking the software, see my previous reply to another post.  As for it being single-purpose hence simple, I have seen several posts here requesting all sorts of features and support for things other than bitcoin.  I bet that the full source will soon have hundreds of thousands of lines of code.  (The Brazilian electronic voting machine, which does not even connect to the internet, has over a million lines of C/C++ source code, not counting the operating system.)

Trezor now has 16500 lines of code in *.c files and another 7000 in *.h files. This is a total for bootloader, firmware and I might included some testing and GUI code as well, that is not on the device so it is even less. And this includes many features discussed here that are not yet released. I don't see it getting to 100000 any time soon. Provided that some code is imported from other open source libraries, the Trezor code itself is even smaller.

Edit: I'm wondering what those Brazilians did there. Millions of lines you say? Wow.