TREZOR Firmware Security Update — 1.5.2
Today, SatoshiLabs released a security update to your TREZOR; a new firmware version — 1.5.2 — was pushed out to all users. This update fixes a security issue which affects all devices with firmware versions lower than 1.5.2.
TREZOR Wallet will notify you about this update. Please make sure you have your recovery seed nearby, before starting the update process. Refer to the User Manual if you need assistance with the firmware update. For users with Bootloader version 1.3.0, please consult this guide first.
It is important to note that this is not a remote execution attack. To exploit this issue, an attacker would need physical access to a disassembled TREZOR device with uncovered electronics. It is impossible to do this without destroying the plastic case.
If your device does not leave your presence, your coins are safe. Moreover, if you have a passphrase enabled and actively use it, your coins are safe. Yet, we strongly recommend you to update your TREZOR anyway.
We are not releasing a detailed description of the issue today to give enough time for users to update and for other hardware wallets based on TREZOR to distribute an update. We will publish a detailed report in the coming days.
How do I know that my TREZOR has not been broken into?
In order to exploit this issue, an attacker would have to break into the device, destroying the case in the process. They would also need to flash the device with a specially-crafted firmware. If your device is intact, your seed is safe, and you should update your firmware to 1.5.2 as soon as possible.
With firmware 1.5.2, this attack vector is eliminated and your device is safe.