TREZOR WALLET Question about possible security risk

[jayman5]

Hi i went onto Trezor security suite and was asked to install a firmware update 2.7.0, all went ok. But unlike a Trezor Suite update this was a firmware update that needed me to enter my password on the device itself. (password not seed phrase)

Leaving aside the risk these genuine firmware updates possibly messing up a device & having to access via the seed phrase what's the bigger security risk?

How do i know a pop up on my screen is a genuine update? and who says its not a hacker pretending to provide a genuine update 2.7.0 say it was a hacker could they take my coins from me entering the password ?

If so is this not a major security risk here?

[BitMaxz]

If the popup windows show up take note of the URL you should check the URL if it's trezor.io which is their website but if you see a different URL meaning it's not genuine.

According to Trezor once you flash your Trezor with unofficial firmware it wipes the data storage if you force it to flash with unofficial firmware I believe this means hackers won't be able to extract the seed phrase from the hardware wallet.

Better read Common security threats from Trezor to avoid them.

[mk4]

1. Before I install a hardware wallet firmware update, I wait a few days after release first to see if there's a problem/exploit, then I carefully check social media if there are issues with the firmware update.

2. Have a separate device/OS/VM for your crypto needs just to be very sure. So every popup will highly be likely from the legitimate source.

[dkbit98]

Leaving aside the risk these genuine firmware updates possibly messing up a device & having to access via the seed phrase what's the bigger security risk?

I never heard someone messing up trezor wallet after update, and you should be fine unless power cuts down in the middle of the update, so it's better to do it with laptop.
Even if something happens you can always reset trezor and install fresh firmware again from trezor suite.
As long as you donwnload from official sources everything should be fine.

How do i know a pop up on my screen is a genuine update? and who says its not a hacker pretending to provide a genuine update 2.7.0 say it was a hacker could they take my coins from me entering the password ?

You can confirm the code on trezor website and github page.
Trezor password can easily be changed any time.

[Eleutheria]

Leaving aside the risk these genuine firmware updates possibly messing up a device & having to access via the seed phrase what's the bigger security risk?

I do not see a bigger security risk with updating the firmware. Some of the times they contain major security fixes to better protect the bitcoins you have there. You can use an additional passphrase for additional security.

How do i know a pop up on my screen is a genuine update? and who says its not a hacker pretending to provide a genuine update 2.7.0 say it was a hacker could they take my coins from me entering the password ?

I mostly ignore popups and do it directly after a bit of time has passed. How the pop up appears also counts, do not be in a haste to take any action.

[crwth]

This has bred somewhat the untrustiness within the cryptocurrency space, especially if you were to experience a scam or rug pull or something. It's really saddening to experience that, and I think a lot of people here have also experienced that. That's where it comes from, that trauma of not trusting anything that you know should protect you, the hardware wallet. I believe you have nothing to worry about as long as you don't put your private keys into your computer or something. It saves you because it's your a hardware wallet, unless your PC is compromised or something.

[HeRetiK]

How do i know a pop up on my screen is a genuine update? and who says its not a hacker pretending to provide a genuine update 2.7.0 say it was a hacker could they take my coins from me entering the password ?

The seed words never leave the device, so a hacker would not be able to steal your coins with just your password.

I would assume malware if the update were to ask for the seed words as well. AFAIK the only situation where Trezor Suite would ask for the seed words would be during wallet recovery. However even during that process you have the option to enter the seed words using your hardware wallet, bypassing any potential malware on your computer.