Trezor Fear Circulating (Patreon)
Content
Hey Team
Lots flying around now - folks spreading FUD re Trezor post the Ledger apocalypse.
Just rem 2 things
1) KEEP YOUR SEED SAFE
2) KEEP YOUR KEY SAFE
That's it.
TLDR
- Unciphered claimed to have developed an exploit that could bypass the security mechanisms of the Trezor T hardware wallet.
- The exploit required physical access to the Trezor T and specialized GPU chips.
- Trezor acknowledged that Unciphered's demonstration was similar to a vulnerability that was discovered in 2020.
- Trezor said that the vulnerability could be mitigated by using a strong passphrase.
- Trezor said that it is working on a new secure element for hardware wallets that will address the vulnerability.
THE FUD
Hardware wallets, which store private keys offline and are designed to protect crypto assets, are generally considered highly secure. Unciphered said, however, that the hardware security mechanisms of the Trezor T model can be theoretically bypassed if a hacker had a T wallet in possession.
The type of exploit depicted by Unciphered would only be feasible if the attacker had physical access to the hardware wallet.
In the video, the Unciphered team said it developed an “in-house exploit” that allowed them to extract the wallet’s firmware. Eric Michaud, co-founder of Unciphered, claimed that by leveraging specialized GPU chips, they were eventually able to crack the device’s pin seed phrase.
“We uploaded the firmware we extracted onto our high-performance computing cracking clusters," Michaud explained in the video. "We have about 10 GPUs, and after some time, we extracted the keys.”
Michaud further claimed that fixing this exploit for Trezor T would require a recall of all their products.
Trezor's Response
Trezor acknowledged that Unciphered’s demonstration had similarities with the Read Protection Downgrade (RDP) vulnerability discovered by Kraken Security Labs researchers that affected both the Trezor One and Trezor Model T. This implies that the vulnerability is not new.
"This appears to be a vulnerability called an RDP downgrade attack and as communicated on our blog in early 2020, RDP downgrade attacks require physical theft of a device and extremely sophisticated technological knowledge and advanced equipment," Trezor's chief technology officer Tomáš Sušánka said. "Even with the above, Trezors can be protected by a strong passphrase, which adds another layer of security that renders a RDP downgrade useless.”
Trezor added that it has taken significant steps to resolve the issue in future by developing a new secure element for hardware wallets with its sister firm, Tropic Square.