Trezor hacked (again)

[n0nce]

seed words generated by fake devices were predictable or predefined, passphrase function was also modified!

Interestingly, predictable or predefined seed phrases could theoretically have been "strengthened" by users by adding very complex passphrases so that a hacker couldn't get access to funds. However, considering that the passphrase function had also been altered, compromised seed phrases with added passphrases remained vulnerable to attack. The "alteration" consisted of the following: you insert a very long passphrase into your wallet (e.g. "nKa&8k2#49%7^N4w4YJanN"), but the malicious wallet take into account only the very first symbol of the inserted passphrase, which is "n" in our case. Therefore, all addresses (private keys) were derived not from a combination of malicious seed+long passphrase (which is relatively safe) but from malicious seed+malicious passphrase ("n"). Needless to say that passphrases containing only one symbol are easily bruteforceable.

That's interesting! So they did this (instead e.g. of disregarding the passphrase) to prevent people from noticing that something odd is happening.
I wonder if anyone used multiple passphrases that started with the same character though; since that would have been noticed.

Do you have a source for this information, by the way?

[1714880828]

1714880828

[1714880828]

1714880828

[witcher_sense]

Do you have a source for this information, by the way?

I made a post about this issue a month ago: you can find a link to a video (in russian) in a post I quoted: https://bitcointalk.org/index.php?topic=2897956.msg59989300#msg59989300

[dkbit98]

Interestingly, predictable or predefined seed phrases could theoretically have been "strengthened" by users by adding very complex passphrases so that a hacker couldn't get access to funds. However, considering that the passphrase function had also been altered, compromised seed phrases with added passphrases remained vulnerable to attack.

I don't think this would work because this scammers also changed passphrase function that is not working correctly in this altered Trezor devices, so you would only have false sense of better security.
Not to mention that using very long passphrase (on normal trezor device) is a bad idea, because you would have to enter this long passphrase every time for each transaction you make

[Cricktor]

I'm paranoid enough that I would check proper key derivation of my mnemonic seed passphrase protected wallet(s). On an air-gapped secure computer I check my mnemonic seed with passphrase in iancoleman script; compare derived addresses of hardware wallet with derived addresses in iancoleman script. A rigged device or software wallet that doesn't use my full passphrase wouldn't derive the same keys and addresses as seen in iancoleman script. So I would spot the issue before the wallet gets used.

[n0nce]

I'm paranoid enough that I would check proper key derivation of my mnemonic seed passphrase protected wallet(s). On an air-gapped secure computer I check my mnemonic seed with passphrase in iancoleman script; compare derived addresses of hardware wallet with derived addresses in iancoleman script. A rigged device or software wallet that doesn't use my full passphrase wouldn't derive the same keys and addresses as seen in iancoleman script. So I would spot the issue before the wallet gets used.

That's a very good practice, and you're absolutely right that it would protect you against this 'fake passphrase' attack.
However it's still possible that the base seed is created from bad / known entropy; that's something your method wouldn't spot. Though it wouldn't impact the entropy of your passphrase.

In general, I believe people put too much trust in passphrases. Every so often, when something's brought up like a hardware wallet having a bad source of entropy or not having a secure element, I hear something like 'Oh, just slap a passphrase on it' as a universal solution for all problems. If you were to put all your trust on the passphrase and expect the same entropy as the seed phrase itself, it would need to be much longer than what most people normally choose and can reliably remember.

[Cricktor]

Well, I assembled a PiTrezor as hardware wallet and as long as I can't fully audit the firmware modification from original Trezor One to PiTrezor, I don't trust the PiTrezor to generate me a wallet seed. Therefore I throw dice and XOR the dice seed with a seed from RPi's /dev/hwrnd. Good and safe enough for me.

I agree that I wouldn't feel confident in the quality of my wallet seed if I'd need to boost subpar entropy with a freaking complex passphrase. You have to type it from time to time, copy&paste in hot wallet space isn't the best idea for such precious secrets.

[NotATether]

Well, I assembled a PiTrezor as hardware wallet and as long as I can't fully audit the firmware modification from original Trezor One to PiTrezor, I don't trust the PiTrezor to generate me a wallet seed. Therefore I throw dice and XOR the dice seed with a seed from RPi's /dev/hwrnd. Good and safe enough for me.

I don't think you can XOR the seed checksums together without corrupting it, because the checksum function is not commutative.

Maybe Trezor is not using a checksum at the end of the 24 words and that's why it works well for you.

[witcher_sense]

I don't think this would work because this scammers also changed passphrase function that is not working correctly in this altered Trezor devices, so you would only have false sense of better security.

Obviously, you should never use a compromised wallet, even for testing purposes, for you don't know in advance how sophisticated hackers are at stealing information. My point was scammers are seemingly into social engineering, psychology, and behavioral psychotherapy, they were trying to outsmart advanced users who are aware of the benefits of adding additional randomness into the initial seed.

Not to mention that using very long passphrase (on normal trezor device) is a bad idea, because you would have to enter this long passphrase every time for each transaction you make

Agreed. There should always be a balance between security and convenience.

[dkbit98]

I agree that I wouldn't feel confident in the quality of my wallet seed if I'd need to boost subpar entropy with a freaking complex passphrase. You have to type it from time to time, copy&paste in hot wallet space isn't the best idea for such precious secrets.

I can't even imagine typing all this ''strong long passphrase'' with special characters on hardware wallets like ledger or trezor model T, and you have to do this on devices only.
Since there are no wrong passphrases, a single mistake you make while typing would create new blank wallet with zero balance each time 
This would be nominated as most frustrating hardware wallet for sure.

Agreed. There should always be a balance between security and convenience.

But example you gave us before had multiple special characters and I wouldn't say this was balance between security and convenience

[Cricktor]

... Therefore I throw dice and XOR the dice seed with a seed from RPi's /dev/hwrnd. Good and safe enough for me.

I don't think you can XOR the seed checksums together without corrupting it, because the checksum function is not commutative.

Maybe Trezor is not using a checksum at the end of the 24 words and that's why it works well for you.

My terminologie is:
seed = 128, 192 or 256 bits long big number (no checksum here, the bare random big integer) — this can be XORed without 'breaking' something
mnemonic seed = the 12, 18 or 24 words which encode the seed including a checksum and maybe other details, usually according to BIP-39, Electrum or Aezeed standard

Trezor is fully BIP-39 compliant, so its mnemonic seed words contain the defined checksum in the last word.

[o_e_l_e_o]

But example you gave us before had multiple special characters and I wouldn't say this was balance between security and convenience

Well, it depends. Even a long and complex passphrase like the one witcher_sense posted I could enter in no more than 5 minutes. Sure, that's no use for a "daily spending" wallet, but if that's my cold storage wallet and I'm only accessing it wallet once or twice a year, then that is a perfectly acceptable balance of security and convenience.

I don't think you can XOR the seed checksums together without corrupting it, because the checksum function is not commutative.

In addition to Cricktor's reply above, if you are already using Ian Coleman safely on an airgapped computer, then it is trivial to use it to also calculate the correct checksum for your resulting XORed entropy.

[Cricktor]

<snip>

Oh boy, what a bs story to shill something.

1. Why would you have to "punch in" your 24 recovery words again into your Trezor. A Trezor usually doesn't forget the current setup wallet.
2. So, the unauthorized transactions wiped your wallet empty. Deng! And how exactly was magic A. W. able to recover all your coins once they were transfered to the thieves address(es)? Since when are Bitcoin transactions reversible? Did I miss something?

Do you actually believe the bs bingo you wrote? Btw, you missed to mention quantum computers, qbits, Elon and free energy, maybe black holes, too.

[dkbit98]

Another day and another hack, this time for Trezor model T hardware wallet, and it was done by Crypto Security Firm Unciphered.
First thing I will say is that it's very strange coincidence for this news to be released in same time when ledger messed up with their Recover disaster news, but whatever.
 
I am not surprised at all about this, we all know that Trezor devices don't have secure element and if it was possible to do this with Trezor One than it was going to happen to Trezor Model T as well.
Maybe this was sponsored by one French company, or Unciphered simply decided to use this opportunity for their own promotion.

Unciphered build a custom board, connected Trezor T to it and they had to wait a long time for extraction of PIN and mneomonic words, but they eventually did it.



This is nothing new for all devices without secure element, but there are few ways people can protect against attacks like this:

1. Use multiple strong passphrases - this is easy and free solution available to anyone, and it makes hackers job much harder.
2. Use Multisig setup with your Trezor wallet - this makes it impossible for anyone to extract keys with this procedure.
3. Use Secret Shamir Sharing with passphrase - this should in theory work in similar way like Mutlisig setup.
4. Don't keep any of your keys inside wallet if you don't use it daily, only import when you need to send transaction and then reset it.
5. Use other open source hardware wallet with secure element.

Trezor is making their own secure element so new generation device will be much better, but knowing all this I was not recommending Trezor wallets for some time.
However, risk of this happening to regular people is very low, especially if you improve security like I mentioned.

Hacking Trezor T video process:
https://www.youtube.com/watch?v=50eiA-75NMY

[zasad@]

This article has a response from Trezor
https://www.theblock.co/post/232085/cybersecurity-firm-claims-it-hacked-private-key-from-a-trezor-t-hardware-wallet

I agree that such a hack requires physical access and good technical knowledge, but it looks more secure than a ledger that online passes the SEED phrase to other companies when it should be protecting it. Other wallets have not yet been verified by specialists.

[Pmalek]

It's no secret that both Trezor hardware wallets are vulnerable to physical manipulation and it was confirmed with several hacking videos in the past. This is somewhat similar to Joe Grand's video, which involves taking the device apart and doing some soldering and pins connecting work to a custom board. The hack itself uses different software and hardware.

What they didn't mention in the video is if the success rate depends on the firmware version of the Model T, or if it's equally easy/difficult to obtain the PIN and seed regardless of the firmware.

[taufik123]

-snip-
I agree that such a hack requires physical access and good technical knowledge, but it looks more secure than a ledger that online passes the SEED phrase to other companies when it should be protecting it. Other wallets have not yet been verified by specialists.

LOL, it seems that Ledger is now regressing and not updating features to make it more secure, but adding features to add new risks that will give Seed Phrase access to third-party companies easily. Is it worth defending such a wallet?
Trezor may have physical bugs but they can be fixed without giving access to third parties.

-sip-
What they didn't mention in the video is if the success rate depends on the firmware version of the Model T, or if it's equally easy/difficult to obtain the PIN and seed regardless of the firmware.

maybe it won't explain in detail what the percentage of success is in the Firmware Model T version or some other crucial issues.
Some parts must be kept secret because this involves high-security issues.
Joe Grand has also provided feedback on Trezor to fix the bug, but he will definitely be looking for other hardware wallet model vulnerabilities.

[Pmalek]

Is it worth defending such a wallet?

Ledger? I didn't get the feeling that zasad@ was trying to defend Ledger in any way. Maybe I misunderstood what you wanted to say.
 

Trezor may have physical bugs but they can be fixed without giving access to third parties.

Actually, Trezor's seed and PIN extraction vulnerabilities can't be fixed and require a complete overhaul of their devices. No firmware upgrades will ever fix Trezor One and Trezor T. The security researcher's in the video mentioned that as well.   

Joe Grand has also provided feedback on Trezor to fix the bug, but he will definitely be looking for other hardware wallet model vulnerabilities.

My gut feeling tells me he is trying to break a hardware wallet with a secure element chip. The future will show if he is successful with it or not. He will obviously never release any information until he has gotten in touch with the responsible parties and given them time to fix the problems. This is all assuming that he was successful in recovering sensitive information. 

[zasad@]

-snip-
I agree that such a hack requires physical access and good technical knowledge, but it looks more secure than a ledger that online passes the SEED phrase to other companies when it should be protecting it. Other wallets have not yet been verified by specialists.

LOL, it seems that Ledger is now regressing and not updating features to make it more secure, but adding features to add new risks that will give Seed Phrase access to third-party companies easily. Is it worth defending such a wallet?
Trezor may have physical bugs but they can be fixed without giving access to third parties.

https://forum.trezor.io/t/trezor-wasabi-cooperation-with-chainalysis/12224
One company is passing off CID phrases to other companies, another wallet maker is partnering with Chainalysis albeit saying that "the coordinator simply refuses them". Companies are affected by regulators.
I wouldn't be surprised if they follow the metamask route and add "We reserve the right to withhold taxes where required."
https://consensys.net/terms-of-use/
We will have to use either paper wallets or make a secure PC for cryptocurrencies.

[tenant48]

strong passphrase solves the hacking problem if hackers manage to get to your Seed.
I am by no means justifying Trezor, but there are no ideal hardware wallets, and you have to adapt to those wallets that are on the market.

There is something else that worries me about Trezor. I was one of the first to order my Trezor T in 2018.
Then they sent it to me with a faulty USB cable, which upset me a little. A friend of mine also ordered a Trezor T two weeks ago and was also sent a wallet with a faulty cable.
It's been five years and Trezor hasn't been able to fix the problem with the USB cables. It's really a shame.

[o_e_l_e_o]

One company is passing off CID phrases to other companies, another wallet maker is partnering with Chainalysis albeit saying that "the coordinator simply refuses them". Companies are affected by regulators.
I wouldn't be surprised if they follow the metamask route and add "We reserve the right to withhold taxes where required."

Businesses simply cannot be trusted. Profits trump everything else, always.

It's been obvious for years that you cannot trust any centralized exchange, and that they will scam you, lock accounts, seize funds, gamble your coins, and go bankrupt. It should now be obvious to everyone that you cannot trust hardware wallet manufacturers either. From unfixable bugs, to support for government mandated KYC via AOPP, to directly funding blockchain analysis and spying on their users, to handing your seed phrases to third parties and making it vulnerable to government subpoenas.

The solution is run your own node, trade via Bisq, and as you point out use your own airgapped encrypted cold storage which does not rely on third parties being honest.

strong passphrase solves the hacking problem if hackers manage to get to your Seed.

It doesn't solve it, as the attacker will still have your seed phrase. It mitigates against your coins being stolen if and only if you use a long and random passphrase, but we also know that most people use incredibly weak passphrases.