Bitcoin Forum
March 19, 2024, 05:33:33 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Trezor wallet can be hacked into before it boots up  (Read 1217 times)
supercops (OP)
Hero Member
*****
Offline Offline

Activity: 589
Merit: 502


View Profile
August 19, 2017, 03:01:02 PM
 #1

Read all about it here:
https://steemit.com/trezor/@lexiconical/trezor-hack-devices-are-not-secure-private-key-can-be-extracted-at-startup

There is a way to keep it secure hope to hear about it in the next firmware update. Embarrassed

          ▄███▄
       ▄████████
    ▄██████▀▀▀███
 ▄██████▀      ▀▀███▄
▀▀███████▄▄       ▀██▀
    ▀████████▄▄
       ▀█████████▄
          ▀▀████████▄
  ▄██▄▄       ▀▀███████▄▄
 ▀███▄▄      ▄██████▀
    ███▄▄▄██████▀
       ████████▀
          ▀███▀
.Sobit.[
▄▄████████▄▄
▄███▀▀      ▀▀███▄
▄██▀              ▀██▄
▄██              ▄▄▄ ██▄
▄██         ▄▄▄██████  ██▄
██    ▄▄▄███████▀████   ██
██ ▀█████████▀ ▄████    ██
██    ▀████▀ ▄██████    ██
██       ▀ ▄███████     ██
▀██        ██▀█████    ██▀
▀██       █   ▀██    ██▀
▀██▄              ▄██▀
▀███▄▄      ▄▄███▀
▀▀████████▀▀
CN - EN
⬢  Twitter
⬢  Facebook
⬢  Reddit
]
1710826413
Hero Member
*
Offline Offline

Posts: 1710826413

View Profile Personal Message (Offline)

Ignore
1710826413
Reply with quote  #2

1710826413
Report to moderator
1710826413
Hero Member
*
Offline Offline

Posts: 1710826413

View Profile Personal Message (Offline)

Ignore
1710826413
Reply with quote  #2

1710826413
Report to moderator
The network tries to produce one block per 10 minutes. It does this by automatically adjusting how difficult it is to produce blocks.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710826413
Hero Member
*
Offline Offline

Posts: 1710826413

View Profile Personal Message (Offline)

Ignore
1710826413
Reply with quote  #2

1710826413
Report to moderator
1710826413
Hero Member
*
Offline Offline

Posts: 1710826413

View Profile Personal Message (Offline)

Ignore
1710826413
Reply with quote  #2

1710826413
Report to moderator
1710826413
Hero Member
*
Offline Offline

Posts: 1710826413

View Profile Personal Message (Offline)

Ignore
1710826413
Reply with quote  #2

1710826413
Report to moderator
achow101
Staff
Legendary
*
Offline Offline

Activity: 3332
Merit: 6433


Just writing some code


View Profile WWW
August 19, 2017, 05:58:08 PM
 #2

Trezor has already released an updated firmware that fixes this problem: https://blog.trezor.io/trezor-firmware-security-update-1-5-2-5ef1b6f13fed

They have also released a full report detailing the vulnerability: https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522

Lastly, the medium post that is often referred to is vague, describes the attack that was already fixed, and does not describe any new attack or any details of how the attack used for <1.5.1 firmware versions would work on 1.5.2. It is highly suspicious, does not follow responsible disclosure, is asking people for money for the attack, and in general, does not appear to be credible at all. Independent researchers had discovered the vulnerability too and the fixes for it were in the public github repository, so it seems that that person simply looked at the commits that fixed the problem and decided to FUD about it.

Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 758
Merit: 606



View Profile
August 19, 2017, 11:44:12 PM
 #3

Guys please read and study the link placed in the post above this one and repeated here:

Quote
They have also released a full report detailing the vulnerability: https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522

The explanation of how this fix removes the RAM/SEED issue will hopefully become clear as you follow along.  If not come back and ask.  Your Trezors are not junk so don't believe everything you read since misinformation abounds on the net.  Your valuable SEED words have now been internally flagged in the Trezor firmware and moved to the beginning of RAM defeating this attack.  One important note is to stop and realize that even with NO changes or updates nobody can do anything to a Trezor without having it in their hands.  Paper wallets, which many brag about, are completely compromised IF you have one of them in your hands.  This new update will keep physical security of a Trezor pretty tight, and certainly much better than a paper wallet in someone's hand.  Both are impossible if they are NOT in your physical possession.  Lastly, as I have preached for a long time, you may want to utilize the BIP39 standard and incorporate significant passphrases for hidden wallets.  None of the extended seed info is ever stored on a hardware wallet so even in a total breach (very unlikely to ever happen) your coins are safe.  Caveat:  I am not affiliated with Trezor mfgs, but I hate all the misinformation that others are circulating.


BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
cpfreeplz
Legendary
*
Offline Offline

Activity: 966
Merit: 1042


View Profile
August 19, 2017, 11:48:26 PM
 #4

Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.
Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 758
Merit: 606



View Profile
August 19, 2017, 11:55:38 PM
Last edit: August 20, 2017, 12:12:56 AM by Coin-Keeper
 #5

Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.

While I don't want to create an argument there is one thing not being considered by your approach.  Most Trezor users actually move and use BTC, perhaps even on their mobile phones etc.....  A paper wallet has no hidden wallet feature.  If I find the paper wallet its game over.  If you find and grab one of my Trezors, and even if you can fully breach it (you won't), you will ONLY find the decoy "crumbs" I left just for that purpose.  My real nest egg will be beyond your reach and you can't even prove it exists.  Thats all thanks to BIP39 and features external to the hardware device.

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
HeRetiK
Legendary
*
Offline Offline

Activity: 2870
Merit: 2056



View Profile
August 20, 2017, 12:33:07 AM
 #6

Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.

While I don't want to create an argument there is one thing not being considered by your approach. Most Trezor users actually move and use BTC, perhaps even on their mobile phones etc.....  A paper wallet has no hidden wallet feature.  If I find the paper wallet its game over.  If you find and grab one of my Trezors, and even if you can fully breach it (you won't), you will ONLY find the decoy "crumbs" I left just for that purpose.  My real nest egg will be beyond your reach and you can't even prove it exists.  Thats all thanks to BIP39 and features external to the hardware device.

Yep, precisely. The fact that you can use cold storage with the ease of a hot wallet is liberating. Using an airgapped computer to sign transactions gets old real fast. However that's just my humble opinion. Everyone has their own use cases and security needs.

Apart from that, rest assured that even knowing the seed words won't help an attacker if your passphrase is long enough. You could basically create a paperwallet that can be used on a non-airgapped device via trezor without fearing to expose the private key.

█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

█          ▄         ▄      ▄▄▄▄▄
█       ▄███      ▄███      █████
█        ████      ████     ▀▀▀▀▀
█         ████      ████
█          ████▄▄▄▄▄▄████▄▄▄▄▄▄▄▄
█           █████████████████████
█            ▀█████▄   ▀█████▄
█              ▀█████▀   ▀█████▀
█                 ▀▀        ▀▀

█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
.....Your private Bitcoin wallet for desktop.....█▀▀▀▀▀▀











█▄▄▄▄▄▄
▀▀▀▀▀▀█











▄▄▄▄▄▄█
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!