[PSA] Non-genuine Trezor One devices spotted

[HeRetiK]

Just a heads-up, SatoshiLabs just sent out a newsletter that the first 1:1 Trezor One clones have been finally spotted in the wild:

https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64e359a7

For the longest time I expected the likes of an evil maid attack [1] to be of mostly theoretical concern, but while a different issue this problem is of similar concern. As of now it seems to be unsure whether these clones are malicious, but I personally wouldn't take any chances.

To any newbies reading this: Be reminded that buying hardware wallets anywhere but from the original vendors is a huge security risk. That's true for any sort of hardware wallet, not just Trezor.

[1] https://doc.satoshilabs.com/trezor-faq/threats.html#evil-maid-attack-replace-the-trezor-with-a-fake

[1714936224]

1714936224

[1714936224]

1714936224

[1714936224]

1714936224

[Lucius]

Unfortunately, they don't show difference between fake and real hardware wallet/device whether by physical or software/firmware different.
I'd like to know if desktop wallet software could identify between real/fake trezor and whether using genuine firmware update will break fake trezor.

Only way to see the difference between fake and real Trezor is for now only holographic seal as shown in the pictures, but these holograms are very similar and it is not easy to distinguish them if you not have original and fake package.

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

[HCP]

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

Does the Trezor not show a warning about using a modified firmware? I was sure that it had a warning if a firmware that was not signed by SatoshiLabs was loaded... at least as far back as March this year anyway...

https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95

So are these 1:1 copies using modified Firmware AND Bootloaders? SatoshiLabs haven't really mentioned much... and seem to say that only by looking at the box and label... no onscreen warnings??!?

[HeRetiK]

I guess when you connect fake Trezor to original UI it should work same as original, otherwise it would not make sense for forgers to make and sell them. The only question is whether such a device is made for intention to steal users coins, or it is just a identical copy made with a reason to profit on sales.

Does the Trezor not show a warning about using a modified firmware? I was sure that it had a warning if a firmware that was not signed by SatoshiLabs was loaded... at least as far back as March this year anyway...

https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95

So are these 1:1 copies using modified Firmware AND Bootloaders? SatoshiLabs haven't really mentioned much... and seem to say that only by looking at the box and label... no onscreen warnings??!?

Trezors come only with the bootloader pre-installed, the firmware is installed when first initializing the device making sure one can start from a clean slate.

Presumably the Trezor clones use the same bootloader, allowing it to install and run the official firmware. If that's the case no warning will be shown on the web interface.

Problem being that while the software may be verified, you have no way of knowing whether the hardware is trustworthy. They could have used less secure components, they could have installed a backdoor on the hardware level, etc.

[Lucius]

Trezors come only with the bootloader pre-installed, the firmware is installed when first initializing the device making sure one can start from a clean slate.

Presumably the Trezor clones use the same bootloader, allowing it to install and run the official firmware. If that's the case no warning will be shown on the web interface.

Problem being that while the software may be verified, you have no way of knowing whether the hardware is trustworthy. They could have used less secure components, they could have installed a backdoor on the hardware level, etc.

Actually then there is no way to determine if it is an original or a copy of Trezor hardware wallet, maybe only if user have 100% original Trezor ordered from the manufacturer directly and suspicious product in front of you.

Apart from the difference in holographic seal there are probably some differences in the box and in the hardware wallet itself. Some tips can be seen in this video, but only right way to buy hardware wallet is directly from manufacturer - in this way the possibility to get fake wallet is maximally reduced.

[LTU_btc]

Does anyone knows where exactly it was spotted? I can't find this information. People need to know where they shouldn't buy this wallet.
It's another warning why people should buy hardware wallets only from official websites and authorised resellers. In this case it's really difficult to spot difference between fake and original wallet, especially if you never had Trezor in your hands.

[aoluain]

We know by now that the only way to eliminate receiving a fake Trezor
is to purchase directly from the manufacturer but if you dont know
that it is easy to get caught by buying a fake at what seems like a deal.

Regarding the hologram, im sure these can be copied. I have seen
copies of PAMP carded Gold bars which were in fact fakes, everything
looked almost perfect including the hologram. The only noticable
difference was the thickness of the "gold" bar. So anything can be copied
near enough to the original to trick people.

Again only way is to buy from the official source.

[gentlemand]

Does anyone knows where exactly it was spotted? I can't find this information. People need to know where they shouldn't buy this wallet.
It's another warning why people should buy hardware wallets only from official websites and authorised resellers. In this case it's really difficult to spot difference between fake and original wallet, especially if you never had Trezor in your hands.

The only mention I can find is 'online marketplaces' which is presumably Ebay and Amazon.

I can't find any mention of what happens when you connect it to a Trezor interface. It's a tad worrying that the only differences they can offer are the hologram and a mention of being made in China. Both are rectified easily enough.