Kraken Security Labs just 15 minutes to hack both of trezor's crypto hardware

[o_e_l_e_o]

Trezor referenced a binance security survey conducted in 2018 that says only about 6% of crypto users are concerned with 'physical attacks'.

I dont agree with that logic at all. I'm not concerned about physical attacks on my hardware wallets - I dont take them out and about with me, and they are stored in very secure locations. I still wiped my Trezor after learning about this vulnerability. I'm also not very concerned about physical attacks on my laptop, but I still use full disk encryption on it, and would absolutely swap to different software to do this if I knew the software I was using was crackable in <15 minutes.

And what about those 6% of users who are concerned about physical attacks? Do they not deserve a warning simply because they are in the minority?

My assumption is if a trezor is vulnerable to a specific attack, every other HW wallet is vulnerable to a similar attack, even if they have not been publicized.

Trezor devices do not user secure elements like some other hardware wallets do. There is no evidence to suggest that this attack would also be successful against a secure element.

Out of all possible alternatives, I would still consider a HW wallet to be superior to all other mediums to store private keys. 

More secure than an encrypted wallet on a permanently airgapped device?

[HCP]

Out of all possible alternatives, I would still consider a HW wallet to be superior to all other mediums to store private keys. 

More secure than an encrypted wallet on a permanently airgapped device?

Depends if you're only considering "security" when deciding which is the "superior" solution.

I would say it all comes down to your own personal use case... how "secure" a HW might be compared to such a setup is debatable... given physical access to an airgapped device, it would probably be theoretically possible to access the private keys, even from an encrypted wallet... but yes of course a (properly) airgapped machine offers a decent level of security.

However the HW wallet will "win" if you need portability... I travel often, so this is important to me. Then there is the "ease of setup and/or use" factor. All the hardware wallets I have have taken me less than 15 minutes to setup from opening the package. Price could also be another factor ($60 for a Nano S vs. for a 2nd computer+webcams etc if you're going the QR code route).

All things considered, for me personally, I'd agree that a hardware wallet is still the "best" solution for storing my private keys... it offers levels of security and convenience that I'm happy with.

As with everything else in this world, YMMV.

[PrimeNumber7]

Trezor referenced a binance security survey conducted in 2018 that says only about 6% of crypto users are concerned with 'physical attacks'.

I dont agree with that logic at all. I'm not concerned about physical attacks on my hardware wallets - I dont take them out and about with me, and they are stored in very secure locations. I still wiped my Trezor after learning about this vulnerability. I'm also not very concerned about physical attacks on my laptop, but I still use full disk encryption on it, and would absolutely swap to different software to do this if I knew the software I was using was crackable in <15 minutes.

Both your laptop, and your trezor are secured by the same thing, that is a password. An attacker with physical access to your devices would need specialized equipment, and technical skills, plus your password (passphrase) to gain access to your trezor, but would only need your password to gain access to your computer.

Out of all possible alternatives, I would still consider a HW wallet to be superior to all other mediums to store private keys. 

More secure than an encrypted wallet on a permanently airgapped device?

Yes. An airgapped device and a trezor need the same password to access any coin the respective device is holding. The airgapped computer will stay in a decrypted state for longer than a trezor when you are signing a transaction with either device. If you have an airgapped computer, an attacker with physical access to the device does not need any specialized equipment to start making attempts of guessing the password.

[malevolent]

Out of all possible alternatives, I would still consider a HW wallet to be superior to all other mediums to store private keys. 

More secure than an encrypted wallet on a permanently airgapped device?

Taking into account not just security but ease of use, user-friendliness, functionality, etc., for an average user (who likely has poor security practices), a hardware wallet (Trezor wallets included) is probably the safest place to store private keys.

[o_e_l_e_o]

@HCP and malevolent

I agree, and this is kind of the point I made a few posts back. Hardware wallets are marketed as simple to use, user friendly, etc. These devices are often recommended to newbies or other less technical users who would be unable to safely set up and use an airgapped machine or paper wallets. These are exactly the users who are most likely to be unfamiliar with passphrases and therefore not using them. It is deeply irresponsible of Trezor to not directly warn these users.

-snip-

You are correct, but only provided the hardware wallet is also using a passphrase. The majority of users do not use a passphrase, making a Trezor significantly less secure than an encrypted airgapped wallet.

[PrimeNumber7]

-snip-

You are correct, but only provided the hardware wallet is also using a passphrase. The majority of users do not use a passphrase, making a Trezor significantly less secure than an encrypted airgapped wallet.

Fair enough. But this also assumes a person using an encrypted airgapped wallet isn't using a very simple password, such as 'password1' or 'dog' even if they spell it backwards. I would argue that many people also use very simple encryption passwords out of convenience because of the frequency they need to decrypt their machine. 

[o_e_l_e_o]

I would argue that many people also use very simple encryption passwords out of convenience because of the frequency they need to decrypt their machine.

Yeah, agreed.

I use whole disk encryption on all my devices. The decryption key for my laptop which I use day-to-day for emails, work, etc. but not for my crypto wallets is around 100 bits of entropy, because as you say I have to enter it probably 5-10 times a day. The decryption key for my airgapped device which I store my cold wallets on is just short of 300 bits of entropy, because I wanted it to be at least as secure as a 24 word seed phrase. I only have to enter this maybe once a month, if that.

I know that I'm an outlier here though. I also know from experience in my workplace that people are horrendous when it comes to password security. Same password for everything, names of their spouse, family members, or pets (or even their own name!), passwords written down in their notebooks, even passwords written on the underside of keyboards. I would be hopeful that if someone is technical enough to be using whole disk encryption they are also smart enough to be using long random passwords, though.

[HCP]

I wonder if it is even technically possible for Trezor to enforce passphrases by default in their wallet? The passphrase functionality is currently "hidden" in the advanced settings once you get the wallet setup and I believe it actually sets a flag within the device so that the web interface asks for a passphrase during wallet unlocking.

So, theoretically, during the onboarding process, the web interface could simply set this flag and basically "demand" that the user set a passphrase... at which point, we'd most likely get users using substandard passphrases anyway... or thinking that they can simply "reset" the passphrase at some point like a computer password and end up forgetting it etc

I can understand the commercial reasons why Trezor are not that keen to "advertise" the flaw... after all, it's supposed to be a secure device... and saying "There is a massive hole in our security, but just use a long random password and you're all good" kind of negates that proposition and would scare off potential users (aka customers).

Meanwhile, more tech savvy users are savaging them on forums/twitter/reddit etc for this exact reason.

Certainly a reputational juggling act that I'm glad I don't have to attempt to perform!

[o_e_l_e_o]

I can understand the commercial reasons why Trezor are not that keen to "advertise" the flaw... after all, it's supposed to be a secure device... and saying "There is a massive hole in our security, but just use a long random password and you're all good" kind of negates that proposition and would scare off potential users (aka customers).

It's a fair point, but look at the flipside. First Ledger and then Kraken were able to pull off this attack. It's only a matter of time before someone malicious figures it out, if they haven't already, meaning it's only a matter of time before someone losses their coins to this vulnerability. All it will take is one major theft with the news that Trezor knew about the vulnerability and didn't warn the user in question to completely ruin their reputation.

I also don't envy their position, but I think the responsible thing to do would be to clearly state the vulnerability and the requirement for a passphrase, whilst stating that they are working on new hardware which will mitigate the attack.

[PrimeNumber7]

I would argue that many people also use very simple encryption passwords out of convenience because of the frequency they need to decrypt their machine.

Yeah, agreed.

I use whole disk encryption on all my devices. The decryption key for my laptop which I use day-to-day for emails, work, etc. but not for my crypto wallets is around 100 bits of entropy, because as you say I have to enter it probably 5-10 times a day. The decryption key for my airgapped device which I store my cold wallets on is just short of 300 bits of entropy, because I wanted it to be at least as secure as a 24 word seed phrase. I only have to enter this maybe once a month, if that.

It really comes down to balancing security vs convenience. it is also a balance of security vs being able to memorize your password. If you have a complex password full of entropy, that is great and all, but it kinda defeats the point if you can't decrypt it because you forgot your passphrase.

I know that I'm an outlier here though. I also know from experience in my workplace that people are horrendous when it comes to password security. Same password for everything, names of their spouse, family members, or pets (or even their own name!), passwords written down in their notebooks, even passwords written on the underside of keyboards. I would be hopeful that if someone is technical enough to be using whole disk encryption they are also smart enough to be using long random passwords, though.

In many companies, writing passwords down as you describe would be a 'clean desk' violation. Many companies also utilize some kind of Single Sign On technology that allows employees to use a single username/password combination across (nearly) all services requiring authentication; in these cases, all the applications are run by the same company, so the risk of 'one' password leaking is not the same as it in normally, and companies usually keep track of unsuccessful login attempts, and will lock accounts upon a small number of attempts. Using a weak password to a service or application is bad, but not the same as having a weak encryption key.

Back on topic....if your device holding coin is subject to a physical attack, I would suggest you consider it to be eventually compromised. If this is part of your threat model, you should create countermeasures that involve you discovering, or being notified of the physical attack quickly, and use other countermeasures that delays the time from the physical compromise to the compromise of the keys.

It bears repeating that a trezor allows you to have multiple passphrases, so you can have a simple of moderately complex passphrase securing a low to moderate amount of coin. If any attacker physically steals your trezor, and can discover your simple passphrase, they need to make a decision if they want to continue looking for an additional passphrase, and if they want to spend the coin they have discovered. You can monitor the coin being secured by the simple passphrase, and if this coin moves, you can move the coin being secured via a more complex passphrase.  

I wonder if it is even technically possible for Trezor to enforce passphrases by default in their wallet? The passphrase functionality is currently "hidden" in the advanced settings once you get the wallet setup and I believe it actually sets a flag within the device so that the web interface asks for a passphrase during wallet unlocking.

No, it is not. They could enable it by default, or prevent it from being disabled. None of this would prevent someone from using a blank passphrase, or a very simple one such as zzzz

[o_e_l_e_o]

if your device holding coin is subject to a physical attack, I would suggest you consider it to be eventually compromised.

Completely agree. Even when using a hardware wallet which does not have this vulnerability, or an encrypted cold wallet, no setup should be assumed to be 100% safe. It should be seen as a method to buy you varying lengths of time to secure your coins before they can be stolen. Just as if my laptop was stolen, despite its whole disk encryption, I would still revoke its permissions and change all my passwords, if my hardware or cold wallets were stolen, I'd be using back ups to move all the coins within.

If any attacker physically steals your trezor, and can discover your simple passphrase, they need to make a decision if they want to continue looking for an additional passphrase, and if they want to spend the coin they have discovered.

I do use multiple passphrases, but I'm not a fan of solely relying on this method. I no longer use any Trezor devices, but if someone was to steal one, it would likely be a targeted attack because I had been sloppy with address reuse or similar and exposed some holdings, so they would know exactly how much bitcoin they were looking for. Further, physically stealing the wallet would be the hard part of the attack, and continually trying to brute force a passphrase relatively easy, so I suspect they might continue until they find what they are looking for. All my wallets are in locations where I would personally discover they are missing or be informed as such by trusted third parties with a maximum of 24 hours.