banner
Trezor removes a leak from the wallet
Trezor removes a leak from the wallet
Altcoin

Trezor removes a leak from the wallet

By Alfredo de Candia - 4 Sep 2020

Chevron down

Many users have received an email in the last few hours about the update of their hardware wallet that has been updated to v1.9.3 for the Trezor One model and v2.3.3 for the Model T model.

Well, these updates contain a patch to a “man in the middle” attack that made it possible to recover the hardware wallet passphrase and then steal all the funds.

The feature of tools like Trezor is that they create a wallet and all the addresses derived from it start from the same seed phrase, so all it takes is to enter this to access all the wallets. 

What does the Trezor leak consist of?

In any case, this attack was explained by the team which discovered the flaw and reported it to Trezor’s team, obtaining a reward for the bounty.

It was shown that after entering the passphrase there is no further control over whether or not the user actually confirms the entry.

And this is where, by modifying any wallet, it is possible to take advantage of a “man in the middle” attack and then, once the passphrase has been obtained, criminals can move the victim’s funds as there is no confirmation or warning from the hardware wallet.

Furthermore, the breach can be exploited to lock out the same user and then ask for a ransom in order to unlock the hardware wallet.

Obviously, there is also to keep in mind the complexity of the passphrase used and it is a good idea to use different letters, numbers and special characters or a series of words from a list, which fits BIP-039.

This is yet another vulnerability that this wallet has had to solve in the space of a few months, proving that a hardware wallet is not always the right choice and that it’s always necessary to be vigilant about the type of wallet used.

Alfredo de Candia
Alfredo de Candia

Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.

We use cookies to make sure you can have the best experience on our site. If you continue to use this site we will assume that you are happy with it.