Bitcoin Forum
November 14, 2018, 11:14:01 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Trezor exploit analysis showing thorough fix  (Read 450 times)
Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 575
Merit: 502



View Profile
August 20, 2017, 07:52:06 PM
 #1

Guys I have spent that last several days examining this newly discussed Trezor exploit.  I have gone line by line and find the newest firmware has taken care of what has been circulating around the net and on this forum.  I will link a small paper, which is on the Trezor site as well, and invite you to take particular interest in the final section where it describes how any exploit to even the older bootloader models is now "bullet proof" against this or any other known exploit.  I would also like you to entertain consideration of another bit of mis-information regarding the "public" chips employed on the Trezor devices.  Here is a two edged sword.  True; use of chips that are NOT proprietary means that all can write to and understand what happens with the chips.  That means that even a meager coder like myself can in fact easily code to these chips.  The beneficial fact is that since code and chips are public and open source, we can all examine the code that is driving the security of our Bitcoins.  I view that as a major plus.  On the other hand similar devices (no names given because this is not an attack on them) with closed system chips are not easily accessible by the public.  A coder with malicious intent would find it more difficult to mess with such a chip, but what happens inside that chip means we MUST trust the mfg.  What if our trust is misplaced?  There is NO way to know until its wayyyyyyyy too late where BTC is concerned.  I strongly contend that public open source coding and many eyes is the better method to maintaining our security.  Just my take on this.  Bottom line: I see no reason to worry about my coins on a Trezor. Common sense dictates that employing BIP39 (extended seed passphrases) with your hardware device is good OPSec!


http://saleemrashid.com/2017/08/17/extracting-trezor-secrets-sram/

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
1542237241
Hero Member
*
Offline Offline

Posts: 1542237241

View Profile Personal Message (Offline)

Ignore
1542237241
Reply with quote  #2

1542237241
Report to moderator
1542237241
Hero Member
*
Offline Offline

Posts: 1542237241

View Profile Personal Message (Offline)

Ignore
1542237241
Reply with quote  #2

1542237241
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542237241
Hero Member
*
Offline Offline

Posts: 1542237241

View Profile Personal Message (Offline)

Ignore
1542237241
Reply with quote  #2

1542237241
Report to moderator
1542237241
Hero Member
*
Offline Offline

Posts: 1542237241

View Profile Personal Message (Offline)

Ignore
1542237241
Reply with quote  #2

1542237241
Report to moderator
1542237241
Hero Member
*
Offline Offline

Posts: 1542237241

View Profile Personal Message (Offline)

Ignore
1542237241
Reply with quote  #2

1542237241
Report to moderator
HeRetiK
Hero Member
*****
Online Online

Activity: 924
Merit: 788


the forkings will continue until morale improves


View Profile
August 22, 2017, 06:07:43 PM
 #2

Nice writeup, thanks for taking the time to independently analyze SatoshiLabs' bugfix Smiley

It's especially interesting to see how fairly straightforward the fix is. I absolutely agree that open source code and hardware is absolutely necessary to provide a trustworthy hardware wallet. Knowing that there are a lot of talented people out there hacking away makes me definitely feel much safer about Trezor. Especially with SatoshiLabs' fast response time. I remember the side-channel attack that got discovered and fixed some time ago in the early days of Trezor [1]. I doubt it would have been found so quickly if Trezor wouldn't be as tinker-friendly as it is. It would have been found eventually, but probably by less well-meaning people.

[1] https://jochen-hoenicke.de/trezor-power-analysis/

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!