Trezor T (2.3.0) and Trezor One (1.9.0) firmware update

[Rath_]

I usually post information about Trezor software updates in their official thread but exceptionally, this update drew my attention. You can read about all the changes here.

A lot of people have been complaining about the unfixable seed extraction which Trezor recommends to mitigate using a passhrase. Trezor T finally can make use of its SD card reader. An SD card can now store a secret which along with the PIN can decrypt the data stored on the device. So, as long as the device owner keeps the SD card and the device separated, physical attacks such as theft or losing the device shouldn't be a problem anymore (if one is afraid that someone would exploit the vulnerability). It's not a perfect solution as some of you will probably point out but at least there's a way to protect the device.

[1714781298]

1714781298

[HCP]

The "wipe code" is also an interesting feature that they have added... basically a "dummy PIN" that just instantly wipes the device!

As they say, "You can write the wipe code somewhere near your Trezor as a decoy PIN, so that if someone tries to unlock the device without your consent, they will cause it to wipe itself." That's a pretty nifty little feature, imo.

[Rath_]

New features are not available through web interface. In order to enable them, I installed trezorctl. I had to follow this guide to do it on Windows.

This update 'broke' passphrase support on Trezor T. Before the update, the device always asked the user if they wanted to enter the passphrase on the device or the host. Now, the default behaviour is entering it on the host. That's ridiculous considering that the built-in touchscreen is the reason why some people bought it. To make things even more fun, one cannot change that default behaviour without using trezorctl at the moment. Wallet vendors need to update their software.

As for the SD card protection, it works fairly well. Without the SD card, the device shows the following warning after entering the PIN (https://i.imgur.com/YilOy2l.png). Trezor creates one file under unique directory (trezor/device_{$device_id}/salt) for each device.

[HCP]

This update 'broke' passphrase support on Trezor T. Before the update, the device always asked the user if they wanted to enter the passphrase on the device or the host. Now, the default behaviour is entering it on the host. That's ridiculous considering that the built-in touchscreen is the reason why some people bought it. To make things even more fun, one cannot change that default behaviour without using trezorctl at the moment. Wallet vendors need to update their software.

That's weird. According to the Release Notes that you linked to in the OP:

Second, on Trezor Model T, the decision whether the passphrase will be entered on the device is prompted directly in the Wallet (see picture below). This helps the overall UX since the user’s focus stays in the Wallet until the passphrase needs to be entered on the device.

This seems to imply that they just moved the prompt from the device into the webwallet (hots)... so it would appear that you can still choose to enter the passphrase on the device, you just have to click the "Enter on device" button on the web wallet UI first.

Trezor thinks this improves the UX... and I can see the logic, but can't really comment either way as I've never used a Trezor T so am not sure of the usual workflow.

[Rath_]

This seems to imply that they just moved the prompt from the device into the webwallet (hots)... so it would appear that you can still choose to enter the passphrase on the device, you just have to click the "Enter on device" button on the web wallet UI first.

Oh, I haven't tried the web interface because it doesn't support native SegWit. I have disabled '--force-on-device' option and tried it to access it. While it works just like you described on their web wallet, third-party wallets obviously don't ask the user how they would like to enter the passphrase; host entry is forced. I don't understand why it's not possible to change that behaviour under 'Advanced' tab in the web interface. People who don't want to expose their passphrase and don't know how to install trezorctl now have to wait for a software update of the wallet they use to access their coins safely.

[HCP]

Oh, I haven't tried the web interface because it doesn't support native SegWit.

Ahhhh that would explain it. Yeah, I can certainly understand in that scenario how annoying it is... and it certainly does seem a bit like a retrograde step. Personally, I'm not sure that the UX "improvement" warranted this change at all. They're simply forcing their methodology onto the existing userbase.

I don't understand why it's not possible to change that behaviour under 'Advanced' tab in the web interface. People who don't want to expose their passphrase and don't know how to install trezorctl now have to wait for a software update of the wallet they use to access their coins safely.

I agree... this seems like it should have been a "beta" feature to give wallets a chance to catch up before being "forced" onto unsuspecting users.

When companies make unilateral decisions like this, it's always current users that "suffer"

It's a bit like the issue with Google Fit at the moment... they had this concept of "move minutes" which worked really well for people participating in activities that don't involve "steps" per se (ie. HIIT, Ellipticals, rowing machines, exercycles etc)... However, Google have now "forced" an update which monitors "steps" as the main measurement of activity! The Play Store is being bombarded with 1 star reviews from angry users!

[Pmalek]

What happens if the SD card breaks or malfunctions and you are no longer able to use it to extract the secret code?
You can't gain access to your Trezor without the secret from the SD card.
I assume that the option can only be disabled once the device is unlocked (with the card inserted). The article mentions that factory resetting the device will also disable this option. Hopefully.   

[Rath_]

What happens if the SD card breaks or malfunctions and you are no longer able to use it to extract the secret code?

You can either boot the device into bootloader mode and reinstall the firmware or enter a wrong PIN 16 times to reset the device. The secret can be copied manually so one can have few SD cards or an encrypted backup.