How to prevent if The Trezor release new firmware update to steal Bitcoin

[erictan90]

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

[1714988045]

1714988045

[1714988045]

1714988045

[1714988045]

1714988045

[OmegaStarScream]

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

[jackg]

Also I don't think trezor can force people to update their firmware if they don't want to. I guess they could make it incompatible but since there are other drivers that can be used and it's open source, that makes things a lot harder for them to succeed in an attack.

[erictan90]

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

Been open source is helpful but we need to wait for some time before update it, allowing people to check it first.
I believe many people will immediately update it as soon as new update released  without any doubt.

[m2017]

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

I've always been curious to know how often the source code is checked? When does a new release come out? Who is doing this? How many people check the source code? How much can they be trusted?

Sorry for so many questions. I wanted to know, at least superficially, how this is implemented.

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

It seems to me that if this is implemented, it will be done differently. The regulator will create conditions under which people themselves will be forced to give their bitcoins or part of it in the form of taxes.

[erictan90]

Also I don't think trezor can force people to update their firmware if they don't want to. I guess they could make it incompatible but since there are other drivers that can be used and it's open source, that makes things a lot harder for them to succeed in an attack.

I mean user don't noticed that Trezor is captured and they voluntarily update it.

[jackg]

I mean user don't noticed that Trezor is captured and they voluntarily update it.

I think there's a slight obligation by the user to do a small amount of research before updating (or waiting a few days without installing and update or using the device) to see if anything is unusual. Completely updating to a new UI you're unfamiliar with can be problematic too for example.

[erictan90]

Both Trezor's software and firmware are open-source. If they add malicious code, people would find out[1][2]

[1] https://wiki.trezor.io/Firmware_changelog
[1] https://github.com/trezor/trezor-suite

I've always been curious to know how often the source code is checked? When does a new release come out? Who is doing this? How many people check the source code? How much can they be trusted?

Sorry for so many questions. I wanted to know, at least superficially, how this is implemented.

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

It seems to me that if this is implemented, it will be done differently. The regulator will create conditions under which people themselves will be forced to give their bitcoins or part of it in the form of taxes.

yup, I guess we should use 2 Trezor, 1 for testing if the new update is good when every new update is released.🤔

[witcher_sense]

Hello,

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Regards

In order to prevent being hacked by a Trezor team, you should behave the same way you behave while interacting with the bitcoin network, which is you don't trust what you see, instead you run your own open-source software and maintain your own copy of transactions history to verify everything by yourself before accepting. If you're concerned about the credibility of Trezor, don't run their software, use other open-source alternatives. Don't trust the firmware they are forcing you to install. Either verify it and reproduce from source code or never update your device. Once you bought your hardware wallet, you have become an owner of an autonomous, independent device the security of which shouldn't necessarily be maintained or rely on the company that produced it.

[examplens]

Otherwise, i would repeat what @jackg said about basic security awareness/research from user side.

I agree here.
Waiting a few days to pass the first tests is always a good solution. I do that almost always because it is not uncommon to make another new one with additional improvements, almost immediately after the new version.
I gained that experience in working with the administration of Windows, the new update often caused me unexpected problems.
for Trezor I don't even remember which the last update was mandatory and without it it could not function

[erictan90]

Thanks for all the replies. Really appreciate it. 👍🏻

[Pmalek]

They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Both your Trezors would rely on the same code and software. If you are using the same seed on both, the one where you installed that malicious update would cause you to lose everything. Alternatively, you could have two different wallets protected by different seeds in each of your Trezors. Or two different passphrased wallets.

In theory. If any open-source client releases a backdoored and malicious update, and the vulnerability is not checked or discovered by anyone in the updated code, it can lead to the loss of funds for those who installed the new update. But with hardware wallets, you are forgetting that you have to physically approve the transaction by pressing the correct buttons on the gadget. The malicious code could be written to reveal your seed maybe or have you generate pre-generated addresses that belong to scammers when you want to send a new transaction.     

[dkbit98]

For example, Trezor captured by regulator and regulator wanna confiscate all people Bitcoin.
They will release a new firmware update to steal all people Bitcoin.
How to prevent that? Use 2 Trezor?

Confiscating trezor or any other hardware wallet is not needed if they find (or you give them) your seed words backup.
You can somehow improve safety of your funds by adding multiple passphrases and creating fake decoy account with smaller amount of bitcoins.
Multisig with other hardware or software wallets could also be one of the options but it adds extra layer of complexity and it's meant for storing larger amount of coins.