Trezor Safe 3 Vulnerable to Physical Attacks?!

[Pmalek]

Ledger's Donjon security team has just released a security report claiming that the new Trezor Safe 3 is susceptible to physical supply chain attacks.
The link to the report, including technical details, is available here:
https://www.ledger.com/why-secure-elements-make-a-crucial-difference-to-hardware-wallet-security

Here are the key takeaways from Ledger's findings:

- Despite Trezor's use of a secure element in the Trezor Safe 3, an attacker with the needed knowledge and hardware could tamper with the wallet, install malicious software, and gain access to the user's coins.
- The Safe 3's security model combines two chips: the secure element and the microcontroller chip. The Optiga Trust M secure element protects against cheap hardware attacks, like voltage glitching.
- However, the microcontroller is vulnerable to manipulation attacks because cryptographic operations are still performed on it. In theory, a hacker could modify the software on the microcontroller flash memory to steal the user's crypto by introducing biased entropy and seed generation or manipulating the nonce of ECDSA signatures.
- Trezor's microcontroller TRZ32F429 is electrically identical to an STM32F429, making it vulnerable to voltage glitching.  
- Trezor has a firmware integrity check as a way to protect against modified software, but Ledger Donjon managed to bypass this safety feature.
- Trezor Safe 5 uses a more advanced microcontroller, STM32U5, which isn't vulnerable to attacks like voltage glitching, ultimately improving the security of the device.

Ledger Donjon had to manipulate the microcontroller physically and desolder it to perform the attack. The picture below shows that an inexperienced eye couldn't differentiate between a genuine and a modified Trezor Safe 3.


Ledger also mentioned the following information about the Optiga Trust M secure element by Infineon:

The Secure Element used in the Trezor Safe 3 and Trezor Safe 5 is an Optiga Trust M (aka SLS32) sold by Infineon. It consists of both an Integrated Circuit (the chip proper, made out of silicon-based transistors), and fixed, un-updateable software, programmed onto the chip by Infineon in their production lines. This software is fully closed source.

Ledger Donjon claims they reported all their findings to Trezor and that the company addressed the vulnerability accordingly.  


Sources:
https://www.ledger.com/why-secure-elements-make-a-crucial-difference-to-hardware-wallet-security
https://x.com/P3b7_/status/1899863743036874795


Edit: This is Trezor's response to the findings of Ledger Donjon. They confirmed that Ledger's security team demonstrated a way to successfully manipulate the security of a Trezor Safe 3 with physical access to the device, but they restate that the attack method can't result in stealing the PIN or keys from a device.
 
https://blog.trezor.io/trezors-multi-layer-defense-against-supply-chain-attacks-54541f410389

[hugeblack]

- However, the microcontroller is vulnerable to manipulation attacks because cryptographic operations are still performed on it. In theory, a hacker could modify the software on the microcontroller flash memory to steal the user's crypto by introducing biased entropy and seed generation or manipulating the nonce of ECDSA signatures.

so, reformatting the device and updating the software/firmware should prevent such a supply chain attack.
I think Ledger's Donjon security team is trying to prove itself rather than a serious security vulnerability.

[tenant48]

so, reformatting the device and updating the software/firmware should prevent such a supply chain attack.
I think Ledger's Donjon security team is trying to prove itself rather than a serious security vulnerability.

As far as I understand, this is not entirely true.
The Trezor article says the following:

Ledger Donjon researchers didn’t extract a private key or PIN from the tested device.

However, they demonstrated a way to bypass the authenticity check, and the firmware hash check in Trezor Safe 3 using advanced tools and a high level of hardware expertise.

……….

Users who purchase from official sources remain fully secure.

That is, only those users who made a purchase from official sources are safe.

 

[Lucius]

Somehow it doesn't seem to me that there is a single hardware wallet that is not subject to physical attack, it's just a matter of how much money and time someone will invest to prove it. It is obvious that there is a certain vulnerability here, but it is also more than evident that LDST is looking for vulnerabilities in their direct competition - but I would always choose any Trezor rather than Ledger for reasons that are probably well known to everyone.

Speaking of vulnerabilities, one of the older Trezor models has an unfixable vulnerability that allows extracting the seed when the device is in physical possession and when no passphrase is set.

[Pmalek]

so, reformatting the device and updating the software/firmware should prevent such a supply chain attack.

In theory, yes. The remote attack would only work if someone had prior physical access to the device and were to install a malicious software on it. If you moved from that back to an official firmware, I guess you would be safe. At least that's how I understood it but I am not sure.

This isn't too serous of an issue anyways. It can only become a problem if someone else with enough hardware and software knowledge had access to your wallet. They wouldn't be able to extract PINs and keys but they could install a software that generates weak/biased entropy for your seed and then use that knowledge to remotely empty your wallets in the future.

Speaking of vulnerabilities, one of the older Trezor models has an unfixable vulnerability that allows extracting the seed when the device is in physical possession and when no passphrase is set.

Both the Trezor One and Trezor T suffer from the same vulnerability. That attack vector is fixed in the Safe 3/5, though.

[dkbit98]

I have to read both sources carefully to get the full picture, but if I understand correctly attacker would need to take your device, open it, and then modify it.
Or scammers could buy a bunch of devices from official trezor website, modify them with malicious code, and then sell them to users.
Maybe Trezor could replace with some improved model, but there are no perfect chips without flaws... and I can't wait for Donjon to test Tropic01 secure element.
I don't know how Trezor ''fixed'' this, but this scenario is unlikely to happen in real life.

[Pmalek]

I have to read both sources carefully to get the full picture, but if I understand correctly attacker would need to take your device, open it, and then modify it.
Or scammers could buy a bunch of devices from official trezor website, modify them with malicious code, and then sell them to users.

Yes. For the manipulation to work, someone would need physical access to the device to manipulate the microcontroller and its software. But even that can't recover the wallet's PIN.

I have second thoughts about the private keys now. The report says that a malicious piece of software could manipulate the nonce of ECDSA signatures. Doesn't this mean that an attacker could eventually get hold of a private key after multiple signatures with it by the rightful owner? Even if that were true, if you aren't reusing the same address over and over again, you would be safe from this as well unless the attacker can get hold of your master private key.

[takuma sato]

I think people shouldn't use hardware wallets period. If you use a hardware wallet, what message are you sending? Well you are telling the world, look im such an advanced Bitcoin user, and there may be potentially millions worth of $$$ inside this device, and so what you'll be potentially facing is $5 wrench attack, or a prosecution by some jurisdiction after they stop you in an airport, and so on. So in my opinion, you want to get a laptop you don't use for anything except for BTC, that does not stand out and looks like a regular laptop, and then manage your private keys from there in a linux distribution of choice, and you have much more control and less paranoia about if the device was tampered before you acquired it.

[Pmalek]

I think people shouldn't use hardware wallets period. If you use a hardware wallet, what message are you sending? Well you are telling the world, look im such an advanced Bitcoin user, and there may be potentially millions worth of $$$ inside this device, and so what you'll be potentially facing is $5 wrench attack, or a prosecution by some jurisdiction after they stop you in an airport, and so on.

I wouldn't go that far. First of all, there is no need to take your hardware wallet with you when you are travelling and visiting other countries. If you are planning to spend bitcoin during your journey, you can do that through hot wallets on your phone or laptop. You wouldn't carry a safe with you either to keep your cash in. The hardware wallet is similar, but for digital money and keys. Leave it at home.

Also, there are physical shops in different countries where you can buy hardware wallets for cash like any other electronic device. No one needs to know what you bought except the people who saw you.   

So in my opinion, you want to get a laptop you don't use for anything except for BTC, that does not stand out and looks like a regular laptop, and then manage your private keys from there in a linux distribution of choice, and you have much more control and less paranoia about if the device was tampered before you acquired it.

If we are going to go paranoid, then we need to keep in mind that border police can inspect your laptop and phone if they want to and if they think you are 'suspicious'. If it's encrypted and they can't access something, they might ask you to give them access stating any of the usual crap like fighting terrorism, money laundering, underaged pornography, etc. Good luck not cooperating with them and reminding them of your rights.