Trezor Crypto Hardware Wallets
Products
Upcoming products
The last hardware announced was the Trezor Safe 3 product series during the Bitcoin Conference in Amsterdam on October 12, 2023.
So far we do not think the Safe 3 series makes use of a tropicsquare Secure Element, a company which is backed by the Trezor founders and which is dedicated to creating the first open Secure Chip. Rumors are that tropicsquare products will not be available before 2025, but no official announcements or statements yet.
Controversies
January 2020
Incident summary
Key extraction vulnerability
Kraken Security Labs published an attack that relies on voltage glitching and taking advantage of the architecture of the STM32 microcontroller to extract an encrypted seed. Both Model One and Model T are affected by this un-fixable vulnerability.
More information on the attack on https://blog.kraken.com/product/security/kraken-identifies-critical-flaw-in-trezor-hardware-wallets
In May 2023 Unciphered, a company that specializes in recovering lost cryptocurrency, recently posted a video on Youtube demonstrating how it broke into the Satoshi Labs’ Trezor T hardware wallet using specialized equipment.
In the video, co-founder Eric Michaud dismantles the hardware on the device and connects it to an exploit that was developed in-house. Using specialized software, he is able to extract the seed phrase or private keys to access the wallet.
Unciphered claims they are using a new attack that was developed in-house, but the difference to the Kraken showcase is not that different in that the attacker needs physical access and is exploiting the STM32 microcontroller.
Official statement
No official statement available yet, but a statement from Trezor in this article https://www.coindesk.com/tech/2023/05/24/crypto-security-firm-unciphered-claims-ability-to-physically-hack-trezor-t-wallet/
Our verdict
While the vulnerabilities can not be fixed in the existing hardware architectures, there is an easy way to protect oneself against these attack vectors.
It is highly recommended to use a strong passphrase (also known as 25th password, or “hidden wallet” as Trezor likes to call it in their software). The passphrase is not stored on the device and can not be extracted.
August 2019
Incident summary
Trezor Model One OLED vulnerability
The vulnerability works with the fact that the common SSD13XX OLED screen type used in the Trezor One and other embedded security devices displays information only one-pixel row at a time instead of all at once (as is, e.g., typical for TFT screens) and requires a relatively large amount of energy to do so. A security researcher discovered that there is a direct correlation between the number of illuminated pixels on each row and the total power consumption of the device in a particular moment.
An attacker with the ability to perform a power consumption analysis of the device while it is displaying secrets on the screen can conceivably use this partial information of the pixel distribution of each row to recover confidential information via statistical analysis. In particular, this is relevant for the seed words or PIN combination.
The attack requires device owners to use USB equipment that has been physically manipulated by an attacker.
Official statement
https://blog.trezor.io/details-of-the-oled-vulnerability-and-its-mitigation-d331c4e2001a
Our verdict
As the attack was only possible with physical access to the device and only while it was showing sensitive information, which is not the case if i.e. an intruder steals your device, we feel that this was not something too worrysome.
Also props to Trezor, who were swift and transparent in their reply, and subsequently able to mitigate this attack vector with firmware updates.
Brand
Introduction
Trezor is a leading name in the realm of cryptocurrency security solutions. Established as one of the pioneering hardware wallet companies, Trezor focuses on providing a secure and user-friendly way to manage and safeguard your digital assets. With a track record of prioritizing top-notch security measures, Trezor offers hardware wallets that keep your private keys offline, safeguarding them from online threats and potential hacks. Trezor’s hardware wallets are designed to provide both ease of use and robust protection, making them an appealing choice for individuals seeking to enhance the security of their cryptocurrency holdings.
Company background
Founded in 2013 in Prague, Czech Republic by Marek “Slush” Palatinus and Pavol “Stick” Rusnák
Customer data policy
SatoshiLabs intentionally damages order data – name, address and telephone number. The company publicly states: “At Trezor, we anonymize all purchases after 90 days but we still encourage our users to take additional precautions to protect their data.”
Source: Official blog post, Official wiki page
