The risk with a backdoored TREZOR is not that it generates public/private keys incorrectly (which is what the BIP32 test vectors test). It's that it can leak the private keys/seed via some side channel, or can be told to sign transactions bypassing the usual user confirmation logic.
For leaking private keys via side channels, there are virtually none available, except the ECDSA k value. Deterministic ECDSA is the solution to this. A backdoor that allows the computer to tell the device to empty itself out cannot really be defended against easily, because it's hard to know what software the device is truly running, but the reputation of the creators is sufficient to give good assurance for genuine/unmodified TREZORs. In future software remote attestation techniques might be interesting.
(disclaimer -this is the first I have heard about this project)
I dont know about that... it doesnt have to be backdoored for those situations to arise. hanlons razor n all that.
what about stuff like diff power analysis and van eck [radiation]? how susceptible is the device to interference over the usb? or a radio transmitter or just a mobile phone. anyway if the trezor cannot guard against a malicious PC that it is connected too, whats the point? You wouldnt be connecting it to a POS/PDQ in a hurry... so it is just another thing to go wrong - how many key pairs does it create? I lost bitcoins before when the send change to new/random address 'bug' was squashed and the change address wasnt in my backup keypairs. (damn you satoshi dice
and me for not reading the release notes)
Another avenue is via some basic firmware bug that allows a different amount to be displayed rather than what it is actually asked to be signed... I trust the creators intentions, but this shit is hard to get right - very hard. not knocking anyone but bugs are bugs... I think this attack would be slightly more dangerous than bypassing the sign conformation prompt. am I correct in thinking that the wallet cannot be passworded? maybe a simple left button x times, right button y times would be useful.
I am probably never going to own one though so wont be able to do this kinda testing on it. good luck though guys. I fear the plastic ones might be a bit more damageable from outside noise.
would you show me images of the inside? I would love to know the part numbers. is it easy to disassemble?
I have some good schematics for noise generators (which I have made and use) if this even vaguely interests you? guessing not, but maybe the team (slush et al) might be. hit me up. I can also help with anti tamper (so someone breaks it open, or tries to shave bits off the outside it will purge the secret keys and any other sensitive info - so if it is lost/stolen there is another layer of defence. (potting [setting in resins] would also help, interweave a metal for a mini faraday cage...) - there are also greater options that provide massive security leaps. (dual cypher, dual implementation of cypher, thermo based rng, etc)
We (mistfpga) looked at doing a bitcoin HSM/PayShield type device then the other two got bored with it and went back to breaking things
shame really. but we are more a small group of hardware/software hackers with a strong bias towards crypto.
anyway good work guys. I wish you all the luck. and thanks for posting mike, you got me thinking.
cheers,
steve.
