Many users have received an email in the last few hours about the update of their hardware wallet that has been updated to v1.9.3 for the Trezor One model and v2.3.3 for the Model T model.
Well, these updates contain a patch to a “man in the middle” attack that made it possible to recover the hardware wallet passphrase and then steal all the funds.
The feature of tools like Trezor is that they create a wallet and all the addresses derived from it start from the same seed phrase, so all it takes is to enter this to access all the wallets.
What does the Trezor leak consist of?
In any case, this attack was explained by the team which discovered the flaw and reported it to Trezor’s team, obtaining a reward for the bounty.
It was shown that after entering the passphrase there is no further control over whether or not the user actually confirms the entry.
And this is where, by modifying any wallet, it is possible to take advantage of a “man in the middle” attack and then, once the passphrase has been obtained, criminals can move the victim’s funds as there is no confirmation or warning from the hardware wallet.
Furthermore, the breach can be exploited to lock out the same user and then ask for a ransom in order to unlock the hardware wallet.
Obviously, there is also to keep in mind the complexity of the passphrase used and it is a good idea to use different letters, numbers and special characters or a series of words from a list, which fits BIP-039.
This is yet another vulnerability that this wallet has had to solve in the space of a few months, proving that a hardware wallet is not always the right choice and that it’s always necessary to be vigilant about the type of wallet used.