Trezor Model One wallet and thoughts

[Pmalek]

I think this should be especially emphasized when it comes to Trezor, because the customer must know that he is buying something that has a vulnerability that can be very easily exploited if the device falls into the wrong hands without additional protection (passphrase). Hacking that costs about $100 in equipment and about 5 minutes in the time it takes to hack a device is a serious security flaw.

The required hardware for the attack isn't expensive, but it's also important to mention that you have to know exactly what you are doing. Ledger's Donjon team hacked a Trezor several years ago, but nothing was released to the public, of course. There isn't much information that could help anyone else to repeat the procedure. They know what they were doing and with that knowledge, they can get the job done in 5 minutes. But Kingpin, despite being a good hardware hacker, didn't have the needed information or couldn't use whatever details were released in the statements by Ledger to help him hack a Trezor One. He went a different route and it took him 3 months.   

[n0nce]

The video where they demo this custom PCB also doesn't really prove anything, for what we know it could easily be fake.

Do you think that one company would just make such accusations if they are not true? In addition, Trezor never denied that all the allegations made were completely correct - otherwise, the whole thing would have ended with a lawsuit.

Well, they haven't denied the existence of the vulnerability. I don't know if they got their hands on one of these hacking devices, but again it does not matter, because it's just a technicality. Just a way to make the attack cheaper and faster, which I already said is definitely possible. Just that this one video of a black box and a software with a progress bar doesn't add much value really.

He went a different route and it took him 3 months.   

Even for kingpin, the development of the exploit took 3 months, but the execution only a few hours (since he had to wait for the brute-force timing attempt to hit just right).
It's an important distinction to make: time spent researching and time spent executing.

As I said before, I can definitely see how a purpose-made PCB with perfect hard-coded timings and connections can get the job done in 5 minutes and $100 of materials. Just that getting that board will take you months or years of research to find the vulnerability, develop an attack, perfect the attack, and bake it into a PCB.

[dkbit98]

I never saw a single fake trezor device that was successfully used for scamming people, there were some cloned devices that used trezor code but I don't know a single verified case of people losing funds like that.
On the other hand, we all saw those fake ledger devices that used fake pcb board, they looked exactly the same from the outside, had the same packaging, but software was different.
All this was result of ledger leak that resulted in release of home addresses, phone numbers, names and other information from their customers.

Could something similar happen with Trezor after recent Mailchimp leak?
- It's possible, so better be aware of this.