Bitcoin Forum
December 16, 2018, 02:54:21 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Trezor wallet can be hacked into before it boots up  (Read 1120 times)
supercops
Hero Member
*****
Offline Offline

Activity: 597
Merit: 502


View Profile
August 19, 2017, 03:01:02 PM
 #1

Read all about it here:
https://steemit.com/trezor/@lexiconical/trezor-hack-devices-are-not-secure-private-key-can-be-extracted-at-startup

There is a way to keep it secure hope to hear about it in the next firmware update. Embarrassed

          ▄███▄
       ▄████████
    ▄██████▀▀▀███
 ▄██████▀      ▀▀███▄
▀▀███████▄▄       ▀██▀
    ▀████████▄▄
       ▀█████████▄
          ▀▀████████▄
  ▄██▄▄       ▀▀███████▄▄
 ▀███▄▄      ▄██████▀
    ███▄▄▄██████▀
       ████████▀
          ▀███▀
.Sobit.[
▄▄████████▄▄
▄███▀▀      ▀▀███▄
▄██▀              ▀██▄
▄██              ▄▄▄ ██▄
▄██         ▄▄▄██████  ██▄
██    ▄▄▄███████▀████   ██
██ ▀█████████▀ ▄████    ██
██    ▀████▀ ▄██████    ██
██       ▀ ▄███████     ██
▀██        ██▀█████    ██▀
▀██       █   ▀██    ██▀
▀██▄              ▄██▀
▀███▄▄      ▄▄███▀
▀▀████████▀▀
CN - EN
⬢  Twitter
⬢  Facebook
⬢  Reddit
]
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1544928861
Hero Member
*
Offline Offline

Posts: 1544928861

View Profile Personal Message (Offline)

Ignore
1544928861
Reply with quote  #2

1544928861
Report to moderator
1544928861
Hero Member
*
Offline Offline

Posts: 1544928861

View Profile Personal Message (Offline)

Ignore
1544928861
Reply with quote  #2

1544928861
Report to moderator
achow101
Moderator
Legendary
*
Offline Offline

Activity: 1610
Merit: 1820


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
August 19, 2017, 05:58:08 PM
 #2

Trezor has already released an updated firmware that fixes this problem: https://blog.trezor.io/trezor-firmware-security-update-1-5-2-5ef1b6f13fed

They have also released a full report detailing the vulnerability: https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522

Lastly, the medium post that is often referred to is vague, describes the attack that was already fixed, and does not describe any new attack or any details of how the attack used for <1.5.1 firmware versions would work on 1.5.2. It is highly suspicious, does not follow responsible disclosure, is asking people for money for the attack, and in general, does not appear to be credible at all. Independent researchers had discovered the vulnerability too and the fixes for it were in the public github repository, so it seems that that person simply looked at the commits that fixed the problem and decided to FUD about it.

Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 577
Merit: 502



View Profile
August 19, 2017, 11:44:12 PM
 #3

Guys please read and study the link placed in the post above this one and repeated here:

Quote
They have also released a full report detailing the vulnerability: https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522

The explanation of how this fix removes the RAM/SEED issue will hopefully become clear as you follow along.  If not come back and ask.  Your Trezors are not junk so don't believe everything you read since misinformation abounds on the net.  Your valuable SEED words have now been internally flagged in the Trezor firmware and moved to the beginning of RAM defeating this attack.  One important note is to stop and realize that even with NO changes or updates nobody can do anything to a Trezor without having it in their hands.  Paper wallets, which many brag about, are completely compromised IF you have one of them in your hands.  This new update will keep physical security of a Trezor pretty tight, and certainly much better than a paper wallet in someone's hand.  Both are impossible if they are NOT in your physical possession.  Lastly, as I have preached for a long time, you may want to utilize the BIP39 standard and incorporate significant passphrases for hidden wallets.  None of the extended seed info is ever stored on a hardware wallet so even in a total breach (very unlikely to ever happen) your coins are safe.  Caveat:  I am not affiliated with Trezor mfgs, but I hate all the misinformation that others are circulating.


BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
cpfreeplz
Legendary
*
Offline Offline

Activity: 938
Merit: 1033


View Profile
August 19, 2017, 11:48:26 PM
 #4

Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.
Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 577
Merit: 502



View Profile
August 19, 2017, 11:55:38 PM
 #5

Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.

While I don't want to create an argument there is one thing not being considered by your approach.  Most Trezor users actually move and use BTC, perhaps even on their mobile phones etc.....  A paper wallet has no hidden wallet feature.  If I find the paper wallet its game over.  If you find and grab one of my Trezors, and even if you can fully breach it (you won't), you will ONLY find the decoy "crumbs" I left just for that purpose.  My real nest egg will be beyond your reach and you can't even prove it exists.  Thats all thanks to BIP39 and features external to the hardware device.

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
HeRetiK
Hero Member
*****
Offline Offline

Activity: 952
Merit: 846


the forkings will continue until morale improves


View Profile
August 20, 2017, 12:33:07 AM
 #6

Know what's faster, cheaper and better? Paper wallets. I've never had an issue with my firmware from a live USB screwing up my security.

Inb4 Paper wallets can burn in a fire, you can lose them etc... Make three copies. Don't actually keep them on paper. Why not steel? Titanium? The answer is in your own head.

While I don't want to create an argument there is one thing not being considered by your approach. Most Trezor users actually move and use BTC, perhaps even on their mobile phones etc.....  A paper wallet has no hidden wallet feature.  If I find the paper wallet its game over.  If you find and grab one of my Trezors, and even if you can fully breach it (you won't), you will ONLY find the decoy "crumbs" I left just for that purpose.  My real nest egg will be beyond your reach and you can't even prove it exists.  Thats all thanks to BIP39 and features external to the hardware device.

Yep, precisely. The fact that you can use cold storage with the ease of a hot wallet is liberating. Using an airgapped computer to sign transactions gets old real fast. However that's just my humble opinion. Everyone has their own use cases and security needs.

Apart from that, rest assured that even knowing the seed words won't help an attacker if your passphrase is long enough. You could basically create a paperwallet that can be used on a non-airgapped device via trezor without fearing to expose the private key.

XXX_BTC1@
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
October 30, 2017, 06:56:11 AM
 #7

Read all about it here:
https://steemit.com/trezor/@lexiconical/trezor-hack-devices-are-not-secure-private-key-can-be-extracted-at-startup

There is a way to keep it secure hope to hear about it in the next firmware update. Embarrassed

no it does not hacked by any one. trezor wallet had great features it is one of the best hardware wallet it can save private keys more secure and no one can hack to this. if you have to creatings private keys then don't reavel to others. like it is more important to keep maintain secure.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!