Trezor announces Tropic Square

[Rath_]

Trezor announced the foundation of Tropic Square - a company whose aim will be to develop a chip which will be open and fully audible. The rest of the article reveals that Trezor attempted to create a new device with Secure Element and they managed to find some flaws in the chip which they are unable to disclose due to NDA. You should read the rest of the text on your own, especially if you are disappointed with the recently found vulnerabilities in Trezor.

[Pmalek]

I wonder if what the Trezor team discovered about the secure element should be a worrying sign for Ledger and Ledger hardware wallet users
The article didn't mention if they are obliged to share their findings with Ledger as a condition of the NDA in the same way that Ledger did in the past when they discovered those Trezor vulnerabilities.   

[Rath_]

The article didn't mention if they are obliged to share their findings with Ledger as a condition of the NDA in the same way that Ledger did in the past when they discovered those Trezor vulnerabilities.  

Their findings are related to a specific Secure Element; not necessarily the one Ledger uses in one of their devices. They would disclose the vulnerabilities but they can't because they have signed a non-disclosure agreement (NDA) to get the full documentation of the chip. Trezor claims that the vendor is not going to share those flaws with their clients as well.

[Pmalek]

Trezor claims that the vendor is not going to share those flaws with their clients as well.

Yes, I know. It seems like an irresponsible and bad move if they are trying to fix the flaw.

If they are not, this is the situation:
The vendor knows about a vulnerability. Trezor discovered the same vulnerability but can't make it public due to their NDA agreement. The vendor is aware that Trezor discovered the flaw but their response is that nobody is allowed to talk about it. Seems like the customers are the ones who have to hope that their funds will stay safe...

[bitmover]

You should read the rest of the text on your own, especially if you are disappointed with the recently found vulnerabilities in Trezor.

Are you talking about the vulnerability discovered by Ledger about an year ago?
https://news.bitcoin.com/ledger-reveals-physical-exploits-against-trezor-hardware-wallets/

Or is there any other?

This is not a huge vulnerability imo, as the attacker would need pyshical access and you can use a passphrase which would make it much harder to exploit. Isn't it?

[DireWolfM14]

You should read the rest of the text on your own, especially if you are disappointed with the recently found vulnerabilities in Trezor.

Are you talking about the vulnerability discovered by Ledger about an year ago?
https://news.bitcoin.com/ledger-reveals-physical-exploits-against-trezor-hardware-wallets/

Or is there any other?

This is not a huge vulnerability imo, as the attacker would need pyshical access and you can use a passphrase which would make it much harder to exploit. Isn't it?

I don't want to speak for BitCryptex, but I believe that is indeed the only vulnerability known to afflict the Trezor.   And yes, It can be mitigated by assigning a strong Bip39 passphrase.

I'm not overly concerned about this particular vulnerability either, but if Trezor can do something to eliminate it I would be all in favor.  It sounds like all of our Trezors will become obsolete once Trezor finds a workable hardware solution.  I wish them much success. 

[Rath_]

This is not a huge vulnerability imo, as the attacker would need pyshical access and you can use a passphrase which would make it much harder to exploit. Isn't it?

I don't feel affected myself either. The probability of a physical attack is really low. Still, I think that we should keep talking about this issue in case someone missed it.

I'm not overly concerned about this particular vulnerability either, but if Trezor can do something to eliminate it I would be all in favor.

Actually, in the lastest Trezor T update, they introduced SD card protection. A randomly generated secret is stored on an SD card which along with the PIN is used to decrypt the data stored on the device. I have tried it and it works well. Without the SD card, the device is practically useless for the attacker.

[DireWolfM14]

Actually, in the lastest Trezor T update, they introduced SD card protection. A randomly generated secret is stored on an SD card which along with the PIN is used to decrypt the data stored on the device. I have tried it and it works well. Without the SD card, the device is practically useless for the attacker.

That's a pretty cool feature, but I have't played with it yet.  Honestly, I've been using my T1 mostly in recent months since it's smaller and more easily portable.  I have a very strong passphrase set.  I'm confident I'll have ample time to notice if it goes missing.

[Rath_]

It's interesting feature, but i wonder if we can use multiple SD card (by perform raw copy from one SD card to another) in case you lost or broke your SD card which is quite small and fragile

Sure! Trezor automatically creates a folder in the main directory of the SD card (trezor -> device_DEVICEID) inside which there is a small 'salt' file. You can easily copy that folder to any SD card and it will work fine as long as its file system is set to FAT32.