Is it safe to use the Trezor Safe 5 even on an infected computer or mobile ?

[ray_d]

Hello
Please guide
Is it safe to use the Trezor Safe 5 even on infected computers? Because my sister bought Trezor Safe 5, she says that her computer is not infected, but to be sure,
we ask that even if the computer Windows 10 or 11 was infected , it is still safe to use Trezor Safe 5 ?
Can you guide me in a simple way
thank you

[Charles-Tim]

If your computer is infected and someone sent you an address but the malware change the address to the hacker's address and you send bitcoin to the hacker's address, will that be fine?

If the computer is infected, best is to format it and reinstall its OS. Do not use infected device for anything that has to do with your money. Also she should learn about privacy and security. She should avoid malware.

[Zaguru12]

The answer is it depends on the type of hardware wallet you’re using and also the type of virus on that device because ideally some other viruses like trackers cannot track your hardware wallet and make you lose your crypto details like keys because hardware wallet blocks the connection between your device and the wallet.

But if the virus in question is a Keylogger then there is going to be a problem when using some hardware wallets, keylogger record your screen and track your entries on keyboard, for hardware wallets that do not require you enter your details using your computer device it is safe but for devices that requires you use the device keyboard to enter information like pins and passphrase it is dangerous.

If I can remember correctly Trezor uses Trezor suit which can expose your entries to the keylogger since it’s on the computer device as such it is not advisable to use this hardware wallet on an infected computer since you don’t even know maybe it is Keylogger viruses

[Frankolala]

It wouldn't take you the whole day to format your system and reinstall the OS, why do you want to risk your funds by using an infected PC. You will lose your funds and end up in regrets. This is one of the reason why been your own bank comes up with risk and the safety/security of your wallet is in your own hands. When you use an infected PC you have automatically exposed your wallet to scammers for easy access.

[ray_d]

Thanks for the reply

because she have only 1 computer and there is no other computer to backup to install new windows and if if she install new windows then every day there is risk to install infected software on the computer

We check everything before sending to another address and make sure the address is accurate
But I just wanted to know is this the only risk? Or are there other risks?

And is there no risk to the device itself ?


Important question is : for example if the computer was infected then can it detect 24 seed phrase from Trezor Safe 5 ? Has anyone ever heard of this ?

[m2017]

It wouldn't take you the whole day to format your system and reinstall the OS, why do you want to risk your funds by using an infected PC.

Actually, the user may not know that the PC is infected. Do malware programs notify the user of their presence? No, they "wait and see" for the user to make a fatal mistake.

 

Important question is : for example if the computer was infected then can it detect 24 seed phrase from Trezor Safe 5 ? Has anyone ever heard of this ?

This is impossible. This is exactly what hardware wallets are used for, because the seed phrase never "leaves" the device.

[satscraper]

~
Can you guide me in a simple way
thank you

The most that infiltrated computer can typically affect in a transaction is the destination address. That means malware could try to replace the recipient address with one controlled by an attacker.

No matter what anyone says inspecting your machine always assume the worst case scenario ^{i.e machine is infiltrated} when handling crypto transactions. That's why it's critical to carefully verify the recipient address ^{as well as other trx's details}shown on your Trezor's display before confirming and signing the transaction. The hardware wallet’s screen is your last line of defense.
.

[SFR10]

If I can remember correctly Trezor uses Trezor suit which can expose your entries to the keylogger since it’s on the computer device as such it is not advisable to use this hardware wallet on an infected computer since you don’t even know maybe it is Keylogger viruses

You have a point, but the direct PIN entry on Trezor Suite is only present for their Model One devices ^{[the PIN entry for Safe 5 and the remaining models happens on the device itself, as opposed to Trezor Suite]}.
^{- For Model One users, Trezor shows a randomized keypad on your devices as a workaround against keyloggers, while you only see a bunch of dots (as opposed to numbers) on your computer screen.}

[rdluffy]

The purpose of having a hardwallet is exactly that, to secure yourself even with a possibly infected PC 

As they've already said, the biggest risk would be a virus that changes the BTC address when you Copy and Paste, so be very vigilant about this

Other than that, they won't be able (as of today) to extract your seed from the wallet, which is the most important thing
Always write it down offline, never on an online PC

It's also good practice to have an antivirus and always keep Windows up to date

[Forsyth Jones]

A hardware wallet has several security mechanisms to mitigate virtual attacks, and according to the manufacturer, HW devices can be used even on a machine infected with malware. However, a compromised clipboard malware can change the sending address of your wallet to the hacker's address. The best thing to do would be to make sure that the computer is free of malware, and then perform a cleanup and/or inspection.

One of the advantages of a HW is that the mnemonic phrase is generated in the offline environment of the device, so no malware can extract the mnemonic phrase, since this information isn't transmitted to the computer and all transactions are signed with user authentication through interaction confirming physically on the device. You can also create hidden wallets using the BIP39 passphrase as your second line of defense.

Don't trust - verify: even an air-gapped offline device can be infected and have its seed phrase exfiltrated through transaction signatures if you install compromised firmware. For this, your machine doesn't even need to be infected. Dark Skippy: A New Threat to Hardware Wallets

It isn't enough to buy a hardware wallet and place all the responsibility on the device. You must remain vigilant and updated as vulnerabilities emerge, and it's up to the user to update their devices in line with common sense digital security.

[dkbit98]

Can you guide me in a simple way
thank you

Yes.
Install LinuxOS on your sister computer ^{(dual boot for start)} and you don't have to worry about infections ever again.
You can also use TailsOS on your usb stick, and connect Trezor 5 via Trezor Suite web browser app.
I think Trezor Safe 5 also connects to your smartphone, so maybe you don't need to use computer.

[Forsyth Jones]

I think Trezor Safe 5 also connects to your smartphone, so maybe you don't need to use computer.

Yes, not only Trezor Safe 5, but all Trezor models can connect to an Android 12+ device via Trezor Suite Web.

You can even update the firmware through the web version of Trezor Suite.

iOS users can download Trezor Suite, but with send function disabled (only balance reading via XPUBS import).

The initial configuration of a Trezor device can also be done on Android via Trezor Suite Web.

https://trezor.io/guides/trezor-suite/trezor-suite-lite/trezor-suite-lite-faqs

https://trezor.io/guides/trezor-suite/trezor-suite-desktop/trezor-on-android

[satscraper]

As they've already said, the biggest risk would be a virus that changes the BTC address when you Copy and Paste, so be very vigilant about this

Unfortunately that is not the only risk that could come from infected computer or mobile. Malware could trick you to pay unreasonable high fee for your transaction as it is described in the following scenario:

Besides, it could pull off an even more sophisticated trick assigning the large amount to a valid but hard-to-discover change output, hidden under an obscure derivation path like m/44'/0'/0'/372164291/68311443, or something equally sneaky.

Thus, if the hardware responsible for building transaction is infected and it constructs the transaction before sending it for signing on any hardware wallet, then it's fundamentally not secure. ^{relying solely on such setup would be a risky business} .

[rdluffy]

As they've already said, the biggest risk would be a virus that changes the BTC address when you Copy and Paste, so be very vigilant about this

Unfortunately that is not the only risk that could come from infected computer or mobile. Malware could trick you to pay unreasonable high fee for your transaction as it is described in the following scenario:

IMG

Besides, it could pull off an even more sophisticated trick assigning the large amount to a valid but hard-to-discover change output, hidden under an obscure derivation path like m/44'/0'/0'/372164291/68311443, or something equally sneaky.

Thus, if the hardware responsible for building transaction is infected and it constructs the transaction before sending it for signing on any hardware wallet, then it's fundamentally not secure. ^{relying solely on such setup would be a risky business} .

I've never seen this possible hack and from what I understand it never happened, it was just a scenario that was predicted and has already been prevented with the Trezor updates
Has there been a confirmed hack like this?
This exchange of transaction value and fee value is quite inventive 

In any case, keeping the OS and the hardwallet up to date, having an anti virus, and paying attention to what you are doing should be enough to avoid possible hacks

[Cricktor]

If OP's sister only has one computer, I recommend what dkbit98 suggested, to setup a dual-boot environment and better do the crypto coin and wallet stuff on a Linux OS than the most targeted Windows OS by malware.

Do not forget to make a full backup before you start to deploy and setup such a dual-boot environment. There are free tools like e.g. Macrium Reflect Free to perform full image backups. Everybody should have backups. No backups, no mercy.

It's not wise to have your wallets on your daily internet machine, even when the software part of the wallets are watch-only and the hardware wallet does the signing.

Malware on a computer can't reach private keys which are stored securely in the hardware wallet. Malware can only trick you to sign the wrong transaction. Therefore it is crucial to carefully check every detail of a transaction that is about to be signed by your hardware wallet. You shouldn't ever skip the careful verification of the transaction details. For this it is crucial that a hardware wallet has an independent own screen to display all details of a transaction before you confirm to sign the transaction.

Take your time to check and verify all outputs of a transaction are what you expect and that the change address actually belongs to your own wallet. Usually you have some references for the target address where you want to send your coins primarily. As the inputs usually exceed the target amount plus the transaction fee, the excess change amount has to return commonly to your own wallet.

Know the "mechanics" of a Bitcoin transaction and again: check and verify all the transaction details thoroughly. This avoids, you being tricked to sign a malicious transaction.

[btc-freedom-money]

If I can remember correctly Trezor uses Trezor suit which can expose your entries to the keylogger since it’s on the computer device as such it is not advisable to use this hardware wallet on an infected computer since you don’t even know maybe it is Keylogger viruses

You have a point, but the direct PIN entry on Trezor Suite is only present for their Model One devices ^{[the PIN entry for Safe 5 and the remaining models happens on the device itself, as opposed to Trezor Suite]}.
^{- For Model One users, Trezor shows a randomized keypad on your devices as a workaround against keyloggers, while you only see a bunch of dots (as opposed to numbers) on your computer screen.}

I don't understand, can you please try explaining again? Do you mean that trezor suite connected to Model One, will receive the pin I enter? Do I enter the pin on the hw wallet device or do I enter the pin on computer that have trezor suite? You said Model One has a randomized keypad. Is that keypad on the hw wallet device or is it on trezor suite? It sounds very strange that trezor suite would be able to know what the pin is. There would be no reason to buy a Model One, it defeats the purpose of buying a hw wallet. Model One sounds like a medium warm or lukewarm wallet, not entirely hot wallet but not entirely cold wallet.

[Forsyth Jones]

I don't understand, can you please try explaining again? Do you mean that trezor suite connected to Model One, will receive the pin I enter? Do I enter the pin on the hw wallet device or do I enter the pin on computer that have trezor suite? You said Model One has a randomized keypad. Is that keypad on the hw wallet device or is it on trezor suite? It sounds very strange that trezor suite would be able to know what the pin is. There would be no reason to buy a Model One, it defeats the purpose of buying a hw wallet. Model One sounds like a medium warm or lukewarm wallet, not entirely hot wallet but not entirely cold wallet.

You seem to be confused about how the Trezor One PIN works, I'll try to clarify: we have a matrix of dots that appear on the screen of the connected device/computer (host) and on the Trezor One display the actual position of the numbers is displayed, you just need to click (on the connected computer) on each of the dots that represents the correct order of the numerical matrix on the Trezor One display.

Currently, you can set a PIN with up to 50 digits on Trezor One.



Sources:
https://trezor.io/guides/trezor-devices/pin-protection-on-trezor-devices
https://blog.trezor.io/seed-pin-passphrase-e15d14a0b546

[Cricktor]

It sounds very strange that trezor suite would be able to know what the pin is. There would be no reason to buy a Model One, it defeats the purpose of buying a hw wallet. Model One sounds like a medium warm or lukewarm wallet, not entirely hot wallet but not entirely cold wallet.

As Forsyth Jones was kind enough to show and explain how Trezor One does it safely, your assessment of Trezor One is simply wrong. There are numerous Youtube videos that show how Trezor One works. You could have easily informed yourself before you make such statements.

The folks at Trezor aren't stupid, they implemented a quite clever scheme by which Trezor Suite doesn't get the PIN and the mouse clicks don't reveal the numbers on the virtual numberpad that the Trezor One displays.

A wallet is either cold or it is hot, there's no in-between. You can't make a hot wallet cold again. A cold wallet that turned hot by exposure to an online device never can become cold again therefore.

[NotATether]

Wouldn't all this be mitigated by using a sighash that signs the entire transaction? Like SIGHASH_ALL. In fact, almost all transactions use SIGHASH_ALL so this attack method is impossible.

Unfortunately that is not the only risk that could come from infected computer or mobile. Malware could trick you to pay unreasonable high fee for your transaction as it is described in the following scenario:

Besides, it could pull off an even more sophisticated trick assigning the large amount to a valid but hard-to-discover change output, hidden under an obscure derivation path like m/44'/0'/0'/372164291/68311443, or something equally sneaky.

Thus, if the hardware responsible for building transaction is infected and it constructs the transaction before sending it for signing on any hardware wallet, then it's fundamentally not secure. ^{relying solely on such setup would be a risky business} .

[satscraper]

Wouldn't all this be mitigated by using a sighash that signs the entire transaction? Like SIGHASH_ALL. In fact, almost all transactions use SIGHASH_ALL so this attack method is impossible.

SIGHASH_ALL is not the bulletproof in this case. This flag ensures that the transaction’s inputs and outputs cannot be modified after it's signed and broadcasted. However, even with SIGHASH_ALL enabled ^{which most wallets use by default} malware ^{sitting inside machine} can still prevent that transaction from being sent, substitute it and trick user by using above scenario.