Can the manufacturer access your private keys?

[Harambe]

Let's say I have a Trezor T Hardware wallet. How can I be sure that when I set it up and generated the private keys, it really used a real random algorithm to generate the private keys? I know it's open source firmware, but is it possible to verify that it really downloaded the same open source firmware from their official website, that's on Github? Wouldn't it be safer to generate your private keys for yourself with dices? I know it's a trusted company with high reputation, but is there a 100% mathematical way to verify that they don't have access to the private keys?

[1714159334]

1714159334

[1714159334]

1714159334

[1714159334]

1714159334

[dkbit98]

Let's say I have a Trezor T Hardware wallet. How can I be sure that when I set it up and generated the private keys, it really used a real random algorithm to generate the private keys? I know it's open source firmware, but is it possible to verify that it really downloaded the same open source firmware from their official website, that's on Github? Wouldn't it be safer to generate your private keys for yourself with dices? I know it's a trusted company with high reputation, but is there a 100% mathematical way to verify that they don't have access to the private keys?

You can 100% verify that you are using the same code from their official github page and you can even make your own Trezor wallet following instructions if you have the skills and patience.
Humans are really bad at creating random stuff and you don't have to trust your hardware wallet if you add BIP39 passphrase encryption, and some other hardware wallets are even offering optional roll-the-dice if you want it.
In any case there are no way for Trezor to know your private keys, but attackers with physical access to your hardware wallet can potentially access it if you don't use passphrase.

[Pmalek]

If you don't know how to verify the source code yourself, all that you are left with is trusting that someone else has done it and concluded that the wallet is safe to use. Since dkbit98 brought up the subject, I am surprised he didn't link to this own thread that contains information about how to create your own Trezor wallet.

If you think you are up for the challenge, watch the video and read the instructions. Download the repository, order the parts, and get to work.  

[DireWolfM14]

If you don't want to use the device itself to generate the seed (if that concerns you for whatever reason) you can use Ian Coleman's Bip39 tool.  You can download it from github and run it offline, on an airgapped machine for added security.  The other advantage of using this method is that you can generate a 24 word seed phrase, which the Trezor T will not do.

[Pmalek]

If you don't want to use the device itself to generate the seed (if that concerns you for whatever reason) you can use Ian Coleman's Bip39 tool.  

Now we are back on the trust dilemma. If OP doesn't trust the random key generation algorithm of Trezor, why would he trust that of Ian Coleman's BIP39 tool? Both are open-sourced, but that fact alone means very little since since most people don't have the skillset to check what the code does and how it does it.

OPs question reminds me of my thread, How many of you check the code of open source software? Everything is available to us like a book, we just don't know how to read it. All we are left with is trusting those who know how to read.

[ranochigo]

Now we are back on the trust dilemma. If OP doesn't trust the random key generation algorithm of Trezor, why would he trust that of Ian Coleman's BIP39 tool? Both are open-sourced, but that fact alone means very little since since most people don't have the skillset to check what the code does and how it does it.

You're not wrong, but the Ian Coleman's code is much more straight forward than reviewing the firmware.

If you don't trust the entropy generated by your devices, then no software implementations can help because the RNG sources are quite similar and would not be verifiable as well. You will want to roll a dice 100 times and record them down. Use SHA256 on the 100 dice rolls then convert it by comparing it to a BIP39 wordlist. ColdCard has a nice python script for you which is as simple as it gets[1].

Some randomness is also needed for the transaction signing as well, unless you're able to see if they use a deterministic value for it.

[1] https://coldcardwallet.com/docs/rolls.py

[Xavofat]

Everything is available to us like a book, we just don't know how to read it. All we are left with is trusting those who know how to read.

I think TREZOR has so many users, some of whom are knowledgeable about code and cryptography, that even though the people who read the open source code is a small minority, that small minority are trusted users who could easily spread the word about clear malicious intent or errors in the code.

Maybe the more immediate threat is the risk of hackers with access to the physical device. 

The best thing for the OP to do is to create a solid passphrase so that he is not reliant on the seed, then keep the TREZOR and seed well hidden.  The probability at that point of anything going wrong seems very low.

[dkbit98]

ColdCard and few other hardware wallets are much better (and more expensive) than Trezor or Ledger wallet for generating more random seed words, but none of them is perfect and most mistakes are usually done by human errors.

The other advantage of using this method is that you can generate a 24 word seed phrase, which the Trezor T will not do.

Is this only the case for Trezor model T?
I can confirm that for Trezor model One you can generate 24 word seed phrase but I am not sure for model T.

[o_e_l_e_o]

Is this only the case for Trezor model T?

Model T generates a 12 word phrase by default, while Trezor One generates a 24 word phrase by default, but you can generate 12, 18, or 24 words on either device by using the trezorctl command with the option -t, using 128 for 12 words, 192 for 18 words, or 256 for 24 words.

See below:

While using Trezor Wallet, Trezor Model T creates a wallet with 12 seed words and Trezor One generates a 24-word seed. Both models are compatible with public standards and it is possible to recover your wallet with 12, 18 or 24-word seed on both devices. In terms of security 12-word recovery seed is safe enough (128 bits of entropy).

Note: For advanced users: It is possible to generate 12, 18 or 24-word seeds on both Trezor devices. If you want to generate recovery seed with different length than default (e.g., 24 words on Trezor Model T), please see initialize device with trezorctl command.

If you are completely unable to review code for yourself, then I would use a manual source of entropy to generate 256 bits of entropy, such as flipping a coin 256 times, and then manually use SHA256 to calculate the checksum on an airgapped computer, and manually convert that number in to a 24 word seed phrase. Then enter that 24 word seed phrase in to Ian Coleman's tool (again, on an airgapped computer) and your Trezor wallet and check that both generate the same addresses. That way you'll know that the seed phrase is truly random and not pre-determined, and the addresses being generated are definitely coming from your seed phrase.

[DireWolfM14]

Is this only the case for Trezor model T?

Model T generates a 12 word phrase by default, while Trezor One generates a 24 word phrase by default, but you can generate 12, 18, or 24 words on either device by using the trezorctl command with the option -t, using 128 for 12 words, 192 for 18 words, or 256 for 24 words.

See below:

While using Trezor Wallet, Trezor Model T creates a wallet with 12 seed words and Trezor One generates a 24-word seed. Both models are compatible with public standards and it is possible to recover your wallet with 12, 18 or 24-word seed on both devices. In terms of security 12-word recovery seed is safe enough (128 bits of entropy).

Note: For advanced users: It is possible to generate 12, 18 or 24-word seeds on both Trezor devices. If you want to generate recovery seed with different length than default (e.g., 24 words on Trezor Model T), please see initialize device with trezorctl command.

I guess I should have been more accurate.  The Trezor T is compatible with 24-word seed phrases, but if you use the default settings it will generate a 12-word phrase.  There's another easy way to set up the Trezor T with a 24-word phrase; initialize it using Electrum. 

[dkbit98]

I guess I should have been more accurate.  The Trezor T is compatible with 24-word seed phrases, but if you use the default settings it will generate a 12-word phrase.  There's another easy way to set up the Trezor T with a 24-word phrase; initialize it using Electrum.  

I think that using their new Trezor Suite software is also generating 24 words by default, but we need someone with Trezor Model T to confirm and verify this.
It is also open source, it has Tor support, and I would suggest downloading software instead of using web version.

We can also verify the binaries for that:
https://wiki.trezor.io/Apps:Trezor_Suite

[Rainbow Bear]

Keep in mind that trezor.io can see all your crypto activity so if you want more privacy you can use trezor with electrum and mew and do everything offline instead of using trezor wallet software.

Also many paranoid people say that if your using windows you should assume everything on your screen is being watched and sent to Microsoft.

[JohnBitCo]

If you don't know how to verify the source code yourself, all that you are left with is trusting that someone else has done it and concluded that the wallet is safe to use. Since dkbit98 brought up the subject, I am surprised he didn't link to this own thread that contains information about how to create your own Trezor wallet.

If you think you are up for the challenge, watch the video and read the instructions. Download the repository, order the parts, and get to work.  

Not everyone is techy to create their own hardware wallets after watching the video. If it was so easy, it could have been the end of business for the Trezor or other hardware wallet manufactures.

Also, i believe if rest of the world have trust on the source code for Trezor, then what is wrong with the OP to blindly trust them as they are in this business for very long time and are being trusted.

[Max_Headroom]

... but is there a 100% mathematical way to verify that they don't have access to the private keys?

I am researching at web for papers about methodological frameworks for the Evaluation Assurance Level specifically to Bitcoin Hardware Wallets.

I think it would be a nice idea as soon as bitcointalk moderators find a good text related to it.. it should be stick to this child board aim to help users to make better decisions. 

It could be general guidances like Glacier Protocol.

If i'm not mistake I read at one of Bruce Schneier books something saying that good crypto starts with a good source of randomness.

So in our case, we should start with the application-specific integrated circuit i(asIC) chip customized for that particular use. Then how that source will communicate to other parts of the hardware, the part responsible for lets say format that key into bip39 format etc..

..
ps-1: Review software functions maybe is easier than review hardware functions since most of hardware are close source.

ps-2: In literature we got some incidents on undocumented functions for Instance hidden Minix OS at Intel chip architecture
https://www.cs.vu.nl/~ast/intel/

ps-3: about IoT devices my research current state 

Citations:
K. Caplan and J. L. Sanders, "Building an international security standard," in IT Professional, vol. 1, no. 2, pp. 29-34, March-April 1999, doi: 10.1109/6294.774938.

Sungyong Cha, Seungsoo Baek, Sooyoung Kang, Seungjoo Kim, "Security Evaluation Framework for Military IoT Devices", Security and Communication Networks, vol. 2018, Article ID 6135845, 12 pages, 2018. https://doi.org/10.1155/2018/6135845

   

[joniboini]

Also, i believe if rest of the world have trust on the source code for Trezor, then what is wrong with the OP to blindly trust them as they are in this business for very long time and are being trusted.

I think "blindly trusting" is not a good choice of words. I do believe that they're capable of making a good HW, but I won't blindly trust them. I will still critize them if they make lots of mistakes and stop using them if they go south.

Just like what happened to Ledger, I do think their HW is a good device, but their recent data leaks shows that Ledger needs to fix a lot of things to gain "trust" from its users again.

[ranochigo]

I think "blindly trusting" is not a good choice of words. I do believe that they're capable of making a good HW, but I won't blindly trust them. I will still critize them if they make lots of mistakes and stop using them if they go south.

Just like what happened to Ledger, I do think their HW is a good device, but their recent data leaks shows that Ledger needs to fix a lot of things to gain "trust" from its users again.

As I've mentioned over and over again, if you are not capable of reading the codes, then you have no choice. Firmware codes are usually fairly long and it would take forever for normal users to attempt to audit them and probably won't even find anything wrong if there even is. I wouldn't go to the extent of blindly trusting them but I would rather find hardware wallets that are more used than those which are less known.

Ledger is not a great example; the problem is with their purchasing system but nothing is wrong with their devices that caused the leak. Auditing the firmware would definitely not prevent that, taking proactive steps to protect your privacy will.

[o_e_l_e_o]

Also, i believe if rest of the world have trust on the source code for Trezor, then what is wrong with the OP to blindly trust them as they are in this business for very long time and are being trusted.

Mt. Gox was in the business for a (relatively) long time and trusted by many users before they lost hundreds of thousands of users' bitcoins.
Bitfinex have been in the business for a long time and trusted by many users despite being hacked for 120,000 bitcoin.
Cryptopia, Quadriga, Bithumb, etc., were all in the business for a long time and trusted by many users before being hacked for thousands of coins.
Binance have been in the business for a long time and trusted by many users despite being hacked for a ton of personal information and KYC data.
Coinbase have been in the business for a long time and trusted by many users despite selling users' data to third parties without their knowledge or consent.
Ledger have been in the business for a long time and trusted by many users before being hacked for huge amount of personal information.

We've seen time and again how blindly trusting a third party has led to loss of coins or personal information. You shouldn't blindly trust any person or any business, regardless of how long they have been around or how many customers they have.