Bitcoin Forum
May 19, 2019, 02:01:03 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [PSA] Non-genuine Trezor One devices spotted  (Read 148 times)
HeRetiK
Legendary
*
Offline Offline

Activity: 1106
Merit: 1047


the forkings will continue until morale improves


View Profile
November 19, 2018, 04:43:31 PM
Last edit: November 19, 2018, 04:57:39 PM by HeRetiK
Merited by bones261 (2), o_e_l_e_o (2), HCP (1)
 #1

Just a heads-up, SatoshiLabs just sent out a newsletter that the first 1:1 Trezor One clones have been finally spotted in the wild:

https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64e359a7

For the longest time I expected the likes of an evil maid attack [1] to be of mostly theoretical concern, but while a different issue this problem is of similar concern. As of now it seems to be unsure whether these clones are malicious, but I personally wouldn't take any chances.

To any newbies reading this: Be reminded that buying hardware wallets anywhere but from the original vendors is a huge security risk. That's true for any sort of hardware wallet, not just Trezor.

[1] https://doc.satoshilabs.com/trezor-faq/threats.html#evil-maid-attack-replace-the-trezor-with-a-fake

1558274463
Hero Member
*
Offline Offline

Posts: 1558274463

View Profile Personal Message (Offline)

Ignore
1558274463
Reply with quote  #2

1558274463
Report to moderator
1558274463
Hero Member
*
Offline Offline

Posts: 1558274463

View Profile Personal Message (Offline)

Ignore
1558274463
Reply with quote  #2

1558274463
Report to moderator
There are several different types of Bitcoin clients. Header-only clients like Bither trust that the majority of mining power is honest for the purposes of enforcing network rules such as the 21 million BTC limit. Full clients do not trust miners in this way.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1558274463
Hero Member
*
Offline Offline

Posts: 1558274463

View Profile Personal Message (Offline)

Ignore
1558274463
Reply with quote  #2

1558274463
Report to moderator
1558274463
Hero Member
*
Offline Offline

Posts: 1558274463

View Profile Personal Message (Offline)

Ignore
1558274463
Reply with quote  #2

1558274463
Report to moderator
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1763

Use SegWit and enjoy lower fees.


View Profile WWW
November 20, 2018, 04:19:37 AM
 #2

Unfortunately, they don't show difference between fake and real hardware wallet/device whether by physical or software/firmware different.
I'd like to know if desktop wallet software could identify between real/fake trezor and whether using genuine firmware update will break fake trezor.

Lucius
Legendary
*
Online Online

Activity: 1414
Merit: 1186


Fortis Fortuna Adiuvat


View Profile WWW
November 21, 2018, 03:32:35 PM
 #3

Unfortunately, they don't show difference between fake and real hardware wallet/device whether by physical or software/firmware different.
I'd like to know if desktop wallet software could identify between real/fake trezor and whether using genuine firmware update will break fake trezor.

Only way to see the difference between fake and real Trezor is for now only holographic seal as shown in the pictures, but these holograms are very similar and it is not easy to distinguish them if you not have original and fake package.

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1763

Use SegWit and enjoy lower fees.


View Profile WWW
November 21, 2018, 05:45:24 PM
 #4

Only way to see the difference between fake and real Trezor is for now only holographic seal as shown in the pictures, but these holograms are very similar and it is not easy to distinguish them if you not have original and fake package.

I see, but this might be troublesome for few people who usually throw away packaging box

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

I agree, but i think steal users coin's (or at least user's private information) is more likely as i doubt they could earn lots of profit from selling hardware wallet with similar function/feature and lower price.
But even if Trezor's software can't even detect whether it's fake or real, then it's troublesome in many ways.

HCP
Legendary
*
Offline Offline

Activity: 966
Merit: 1489

<insert witty quote here>


View Profile
November 22, 2018, 12:55:43 AM
 #5

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.
Does the Trezor not show a warning about using a modified firmware? I was sure that it had a warning if a firmware that was not signed by SatoshiLabs was loaded... at least as far back as March this year anyway...

https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95

So are these 1:1 copies using modified Firmware AND Bootloaders? Huh SatoshiLabs haven't really mentioned much... and seem to say that only by looking at the box and label... no onscreen warnings??!? Huh

HeRetiK
Legendary
*
Offline Offline

Activity: 1106
Merit: 1047


the forkings will continue until morale improves


View Profile
November 22, 2018, 01:16:23 PM
 #6

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.
Does the Trezor not show a warning about using a modified firmware? I was sure that it had a warning if a firmware that was not signed by SatoshiLabs was loaded... at least as far back as March this year anyway...

https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95

So are these 1:1 copies using modified Firmware AND Bootloaders? Huh SatoshiLabs haven't really mentioned much... and seem to say that only by looking at the box and label... no onscreen warnings??!? Huh

Trezors come only with the bootloader pre-installed, the firmware is installed when first initializing the device making sure one can start from a clean slate.

Presumably the Trezor clones use the same bootloader, allowing it to install and run the official firmware. If that's the case no warning will be shown on the web interface.

Problem being that while the software may be verified, you have no way of knowing whether the hardware is trustworthy. They could have used less secure components, they could have installed a backdoor on the hardware level, etc.

Lucius
Legendary
*
Online Online

Activity: 1414
Merit: 1186


Fortis Fortuna Adiuvat


View Profile WWW
November 22, 2018, 03:26:44 PM
 #7


Trezors come only with the bootloader pre-installed, the firmware is installed when first initializing the device making sure one can start from a clean slate.

Presumably the Trezor clones use the same bootloader, allowing it to install and run the official firmware. If that's the case no warning will be shown on the web interface.

Problem being that while the software may be verified, you have no way of knowing whether the hardware is trustworthy. They could have used less secure components, they could have installed a backdoor on the hardware level, etc.

Actually then there is no way to determine if it is an original or a copy of Trezor hardware wallet, maybe only if user have 100% original Trezor ordered from the manufacturer directly and suspicious product in front of you.

Apart from the difference in holographic seal there are probably some differences in the box and in the hardware wallet itself. Some tips can be seen in this video, but only right way to buy hardware wallet is directly from manufacturer - in this way the possibility to get fake wallet is maximally reduced.

LTU_btc
Hero Member
*****
Offline Offline

Activity: 1232
Merit: 634



View Profile WWW
November 25, 2018, 12:21:03 AM
 #8

Does anyone knows where exactly it was spotted? I can't find this information. People need to know where they shouldn't buy this wallet.
It's another warning why people should buy hardware wallets only from official websites and authorised resellers. In this case it's really difficult to spot difference between fake and original wallet, especially if you never had Trezor in your hands.

               ▄▄███████▄▄
            ▄███████████████▄
           ███████████████████
          █████████████████████▄▄▄▄
      ▄▄▄████████████████████████████▄
   ▄█████ ▐▌ ██████████████████████████▄
 ▄█████       ▀█         █          ████▄
▐███████  ███  ▐█  ██▀█▄▄█▄▄██  ██▄▄█████
████████       ██     ████████  █████████
████████  ███  ▐█  ██▄█▀▀█████  ████████▀
 ██████       ▄█         ███      █████▀
  ▀██████ ▐▌ ████████████████████████▀
    ▀▀▀██████████████████████████▀▀
       ▄▄▀▀▀██████▄
    ▄██████▀▀███████▀▀▄
  ▄██████▀▄███████████▄▀▄
 ▄█ ███████████████ ████▄▄
▄██████████████████▌▐█████▄
███████████████████████████
▀▄████████▄▄▄▀▀▀████████▀▄
██████████████████████████
▀████ ████████████████████▀
 ▀████ █████████▀▄████ ██▀
  ▀████▄▀█████▀▀▄█████▌▐▀
▄███▀▄██████▄▄████▀▀▄▄▀███▄
▀██████
▀▀████▄▄▄▄▄▀▀██████▀
   ▀▀▀███████████████▀▀▀
         ▄▄▀▀██▀▀▀▀▄▄▄▄▄
      ▄▀▀██▄▄█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
  ▄▄▄▀▀▀█▄▄▄▀▄██████████
▄▀▀█▄▀█▄█▀███████████
▄▀████████▐▌██████
 █▀▄██████████▄████▄████
  ▀▄█████████████████████
   ▀▄█████████▀██████▀███
     ██████████▄██▄█████
      █████████████████████
       ▀▄████████████████
        ▀▄████████████████
          ▀███▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀
aoluain
Sr. Member
****
Offline Offline

Activity: 742
Merit: 284


View Profile
November 25, 2018, 08:56:58 AM
 #9

We know by now that the only way to eliminate receiving a fake Trezor
is to purchase directly from the manufacturer but if you dont know
that it is easy to get caught by buying a fake at what seems like a deal.

Regarding the hologram, im sure these can be copied. I have seen
copies of PAMP carded Gold bars which were in fact fakes, everything
looked almost perfect including the hologram. The only noticable
difference was the thickness of the "gold" bar. So anything can be copied
near enough to the original to trick people.

Again only way is to buy from the official source.
gentlemand
Legendary
*
Offline Offline

Activity: 2002
Merit: 1672


Baby Blue Panties


View Profile
November 25, 2018, 11:20:04 PM
 #10

Does anyone knows where exactly it was spotted? I can't find this information. People need to know where they shouldn't buy this wallet.
It's another warning why people should buy hardware wallets only from official websites and authorised resellers. In this case it's really difficult to spot difference between fake and original wallet, especially if you never had Trezor in your hands.

The only mention I can find is 'online marketplaces' which is presumably Ebay and Amazon.

I can't find any mention of what happens when you connect it to a Trezor interface. It's a tad worrying that the only differences they can offer are the hologram and a mention of being made in China. Both are rectified easily enough.


Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!