Bitcoin Forum
October 19, 2018, 03:54:33 AM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: TREZOR can Hacked ?  (Read 108 times)
Cogy
Jr. Member
*
Offline Offline

Activity: 33
Merit: 1


View Profile
July 03, 2018, 04:17:30 PM
 #1

I bought a trezor, they delver it to my office unfortunately I forgot it at my office and next day I saw someone open it and its not intact.
Is there have any possibility to hacked. I setup it but now i scared is it safe now for me. please suggest me what can i do now.
1539921273
Hero Member
*
Offline Offline

Posts: 1539921273

View Profile Personal Message (Offline)

Ignore
1539921273
Reply with quote  #2

1539921273
Report to moderator
1539921273
Hero Member
*
Offline Offline

Posts: 1539921273

View Profile Personal Message (Offline)

Ignore
1539921273
Reply with quote  #2

1539921273
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1539921273
Hero Member
*
Offline Offline

Posts: 1539921273

View Profile Personal Message (Offline)

Ignore
1539921273
Reply with quote  #2

1539921273
Report to moderator
1539921273
Hero Member
*
Offline Offline

Posts: 1539921273

View Profile Personal Message (Offline)

Ignore
1539921273
Reply with quote  #2

1539921273
Report to moderator
1539921273
Hero Member
*
Offline Offline

Posts: 1539921273

View Profile Personal Message (Offline)

Ignore
1539921273
Reply with quote  #2

1539921273
Report to moderator
BitCryptex
Sr. Member
****
Offline Offline

Activity: 364
Merit: 296



View Profile WWW
July 03, 2018, 04:30:13 PM
 #2

TREZOR comes without any pre-loaded software, it's downloaded automatically from their servers once you initialize it. Plug it in and check if the device asks you to install firmware. If so, I would consider it as safe. Check if it isn't physically damaged. It would be difficult for anyone to tamper with the device without damaging the case.

Edit: I have just read your post once again and I see that you have already initialized it. Do you remember if it was downloading the firmware? Is the case damaged or scratched?
Cogy
Jr. Member
*
Offline Offline

Activity: 33
Merit: 1


View Profile
July 03, 2018, 04:35:57 PM
 #3

TREZOR comes without any pre-loaded software, it's downloaded automatically from their servers once you initialize it. Plug it in and check if the device asks you to install firmware. If so, I would consider it as safe. Check if it isn't physically damaged. It would be difficult for anyone to tamper with the device without damaging the case.

Edit: I have just read your post once again and I see that you have already initialized it. Do you remember if it was downloading the firmware? Is the case damaged or scratched?

Thanks a lot,
Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.
HeRetiK
Hero Member
*****
Offline Offline

Activity: 896
Merit: 758


the forkings will continue until morale improves


View Profile
July 03, 2018, 04:49:34 PM
 #4

You mean someone opened the box or someone opened / broke apart the hardware wallet itself?

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

The wallets hardware and firmware itself is fairly tamper-proof, so if someone tried to update your Trezor with malicious code you'd get a warning whenever you try to access your wallet. The physical hardware itself is rather unlikely to be opened up and tampered with without any obvious signs.

SatoshiLabs has a nice overview of possible (known) attack vectors btw:
https://doc.satoshilabs.com/trezor-faq/threats.html


Edit: I was utterly mistaken regarding the BIP-0039 mnemonic. Please refer to HCP's post below.

BitCryptex
Sr. Member
****
Offline Offline

Activity: 364
Merit: 296



View Profile WWW
July 03, 2018, 04:50:54 PM
 #5

Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.

You should be safe if you installed the firmare by yourself and generated the seed. It looks like the person who opened your package didn't know what to do with it.
Remember to check your seed (it's available on TREZOR wallet page) because you will need it to recover your coins.
Cogy
Jr. Member
*
Offline Offline

Activity: 33
Merit: 1


View Profile
July 03, 2018, 04:55:54 PM
 #6

You mean someone opened the box or someone opened / broke apart the hardware wallet itself?

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.

The wallets hardware and firmware itself is fairly tamper-proof, so if someone tried to update your Trezor with malicious code you'd get a warning whenever you try to access your wallet. The physical hardware itself is rather unlikely to be opened up and tampered with without any obvious signs.

SatoshiLabs has a nice overview of possible (known) attack vectors btw:
https://doc.satoshilabs.com/trezor-faq/threats.html



I mean Someone opened the packet.
Cogy
Jr. Member
*
Offline Offline

Activity: 33
Merit: 1


View Profile
July 03, 2018, 05:03:24 PM
 #7

Yes I install it successfully , even I didn't face any problem. I just afraid , need to confirm that no one can hacked it.

You should be safe if you installed the firmare by yourself and generated the seed. It looks like the person who opened your package didn't know what to do with it.
Remember to check your seed (it's available on TREZOR wallet page) because you will need it to recover your coins.

Thanks a lot, now I feel free.
suzanne5223
Sr. Member
****
Offline Offline

Activity: 588
Merit: 262



View Profile
July 03, 2018, 06:02:58 PM
 #8

I bought a trezor, they delver it to my office unfortunately I forgot it at my office and next day I saw someone open it and its not intact.
Is there have any possibility to hacked. I setup it but now i scared is it safe now for me. please suggest me what can i do now.
Both Trezor and Ledger Nano S wallet are secure wallet but can be hack if you dont avoid the necessary error but with the wallet package not intact. I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack.
Where do you order the item?

BitCryptex
Sr. Member
****
Offline Offline

Activity: 364
Merit: 296



View Profile WWW
July 03, 2018, 09:26:51 PM
 #9

I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack. Where do you order the item?

Did you even bother to read the whole thread? The package arrived to his office intact and he saw that someone has already opened it. There is no point in contacting the manufacturer because it's not their fault.
dunfida
Legendary
*
Offline Offline

Activity: 1078
Merit: 1001



View Profile
July 03, 2018, 11:18:37 PM
 #10

I will advice to contact the wallet provider and the issue cause the wallet might be vulnerable or not secure due to what you said about the pack. Where do you order the item?

Did you even bother to read the whole thread? The package arrived to his office intact and he saw that someone has already opened it. There is no point in contacting the manufacturer because it's not their fault.
On these kind of cases manufacturer wont really be liable on this kind of case as long the reciever of such package do accept it on sealed box and later on it found out to be open then the sender isnt liable.
I believe it has been opened for a curious office mate  Grin If someone on the place had a knowledge about cryptocurrencies and hardware wallets then you are possible at risk but on a short period of time i dont think it had been compromised.

                 ▄███▄
                ███████░
               █████████▄
              ████████████
             ███████████▓▓▓░
            ███████████▓▓▓▓▓
          ░███████████▓▓▓▓▓░░░
         ░███████████▓▓▓▓▓░░░░░
        ░███████████▓▓▓▓▓░░░░░░░
       ░███████████▓▓▓▓▓░░░░░░░░░░
      ░███████████▓▓▓▓▓░░░░░░░░░░░░
    ░░███████████▓▓▓▓▓░░░░░░░░░░░░░░
    ░███████████▓▓▓▓▓░░░░░░░░░░░░░░░░
██
██
██
██
██
██
██
.............PayPal  of   Cryptocurrencies ...........
  Blockchain Protocol + 12 Working Modules - Use Crypto as Cash
██
██
██
██
██
██
██
...........Invest Now...........
     ▄████████████████████████▄
    ███████████████████████████▌
    ████████████████▀▀ ---¬█████
    ███████████████        █████
    ██████████████    ▄▄▄▄▄█████
    ██████████████    ▀█████████
    ██████████▌            █████
    ██████████▌            █████
    ██████████████    ██████████
    ██████████████    ██████████
    ██████████████    ██████████
    ▐█████████████    █████████
      ▀▀▀▀▀▀▀▀▀▀▀▀    ▀▀▀▀▀▀▀
▄▓█████████████████████▓▓▄
▓██████████████████████████▌
███████████████████▓▓▀  ▓██▌
██████████████▓▀▀       ▓██▌
████████▓▀▀      ▄█    ▐███▌
███▓▀        ▄▄▓▀      ▓███▌
███▓▄▄▄   ▄▓█▓         ████▌
████████▓ ▓▌          ▓████▌
█████████▓    ▄       █████▌
██████████▌ ▄▓██▓▄   ▐█████▌
███████████████████▓▓██████▌
▐██████████████████████████
  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
▄███████████████████▄
██████████████████████▌
██████████████████████▌
████████████     █▀███▌
███   █████        ▐██▌
███               ▐███▌
███               ████▌
████             █████▌
█████▄▄         ██████▌
████         ▄████████▌
██████████████████████▌
██████████████████████▌

    ██▄▄             ▄███▄
    ███████▄        ▄████████▄▄
    ██████████     ████████████▌
    ███████████▄ ▄████████████░░
    ████████████████████████░░░░
    ███████████████████████░░░░░
    █████████████████████░░░░░░░
    █████████   ▀▀███████░░░░░░░
    █████████        ▀░░░░░░░░░░
       ▀▀████             ░░░░░░
           ▀▀                 ░░
Lucius
Legendary
*
Offline Offline

Activity: 1204
Merit: 1071


Fortis Fortuna Adiuvat


View Profile WWW
July 04, 2018, 08:40:22 AM
 #11

The mistake was to order something like this to your work place, only reasonable option is to order it at your home address so you would avoid someone open the package. It's probably just a question of a curiosity, but it's definitely not okay to open a package that is not named in your name - this is a classic violation of privacy. Although in this case using of mentioned hardware wallet is not compromised, there is one dose of doubt which remains.

   ███                       
   █████                     
  ███████                    
 ██████████        █         
  █████████      ████        
  ████████      ██           
     ██████    ██            
       ██████████            
            ██████   ███████ 
         █████  ██████████████
       ███ ███  ████████████ 
       ██ █          █       
      █                      
     █                       
.
                          ██ 
                       █████ 
                      ███████
           █        ██████████
          ████      █████████
             ██      ████████
              ██    ██████   
              ██████████     
   ███████   ██████          
 ██████████████  █████       
   ████████████  ███ ██      
    ██████          █ ██     
                        █    
                         █  




███           
██████        
████████     
██████████    
████████████ 
██████████████
██████████████
████████████  
██████████    
████████      
██████        
███           
.

██████████
██████████
██████████
██████████
.

          ████
        ██████
      ████████
    ██████████
  ████████████
██████████████
██████████████
  ████████████
    ██████████
      ████████
        ██████
           ███
Cogy
Jr. Member
*
Offline Offline

Activity: 33
Merit: 1


View Profile
July 04, 2018, 03:43:59 PM
 #12

The mistake was to order something like this to your work place, only reasonable option is to order it at your home address so you would avoid someone open the package. It's probably just a question of a curiosity, but it's definitely not okay to open a package that is not named in your name - this is a classic violation of privacy. Although in this case using of mentioned hardware wallet is not compromised, there is one dose of doubt which remains.

Yes Sir, I did this mistake. I already install it successfully, I want to know now its have any possibility to hacked.
notaek
Legendary
*
Offline Offline

Activity: 1258
Merit: 1008


View Profile WWW
July 04, 2018, 07:01:57 PM
Merited by HCP (1)
 #13

Yes Sir, I did this mistake. I already install it successfully, I want to know now its have any possibility to hacked.

Just to make sure you're fully safe, you can wipe your Trezor device and start initializing again with a new seed.
This can be accessed by pressing "Advanced settings" button on Trezor Bridge Interface after you have plugged it.



Out of curiosity, which model of Trezor did you buy?

HCP
Hero Member
*****
Offline Offline

Activity: 756
Merit: 932

<insert witty quote here>


View Profile
July 05, 2018, 11:23:24 PM
Merited by HeRetiK (1)
 #14

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.
You can't just randomly select words from the BIP39 wordlist and expect to get a valid seed mnemonic.

Part of the last word value is a "checksum" that is derived from the rest of mnemonic. If you're randomly picking words, it is highly likely that you're going to end up with an invalid checksum... from memory the odds of picking a word that includes a valid checksum are something like 8/2048 (there are usually around 8 words that will have the correct checksum out of the possible 2048).


OPs best option, if they're concerned, is to simply wipe the device and set it up from scratch again as suggested above (it'll generate a new random seed).

HeRetiK
Hero Member
*****
Offline Offline

Activity: 896
Merit: 758


the forkings will continue until morale improves


View Profile
July 06, 2018, 12:04:24 AM
 #15

The latter should be fairly obvious and I wouldn't be using the Trezor anymore at that point. If someone simply opened the box, you should be fairly safe assuming you don't use the Trezor's default seed phrase and create one yourself by selecting words from the BIP-0039 word list: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Make sure to select words from the BIP-0039 word list randomly, not by selecting lucky numbers or words you more easily remember. Using dice may help as well during the selection process. Use a strong passphrase on top just to be sure (ie. when setting up your wallet you not only enter the seed phrase, but optionally can also add passphrases for multiple accounts in addition to your PIN). Make sure to back up your seed phrase.
You can't just randomly select words from the BIP39 wordlist and expect to get a valid seed mnemonic.

Part of the last word value is a "checksum" that is derived from the rest of mnemonic. If you're randomly picking words, it is highly likely that you're going to end up with an invalid checksum... from memory the odds of picking a word that includes a valid checksum are something like 8/2048 (there are usually around 8 words that will have the correct checksum out of the possible 2048).


OPs best option, if they're concerned, is to simply wipe the device and set it up from scratch again as suggested above (it'll generate a new random seed).

Aw geez. Thank you for correcting me! I had a feeling that my memory was off but couldn't quite put my finger on it.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!