Replying to Avatar WalletScrutiny

Trezor wallets are always sold without firmware. If it has a firmware, it probably is not new and might have been tampered with. If it apparently has no firmware, it might still be tampered with but that's another story.

When installing/updating the firmware, verifiability is key! Trezor is fully open source and this sophisticated modified hardware would have turned into a useful tool for its user, had he updated to a genuine version but for that, some checks have to be possible:

1. The firmware has to be built from public source code so its code can be audited. Trezor is open source.

2. The firmware has to be **reproducible** so the firmware is provably built from the public source code. Trezor is reproducible.

3. The device has to show the cryptographic fingerprint of the about to be installed firmware so the user can make sure he is installing the correct firmware. A version number is not enough! Trezor did this, recently failed to do this but closed an issue about this recently so we are not sure about the situation.

4. The newly installed version has to contain visible changes that a hacker can't trivially anticipate. Showing an incremented version number is **not enough**.
Avatar
WalletScrutiny 2y ago

Now with the bootloader compromised as was the case with this Trezor Model T, even all these measures might not be enough if the bootloader hot patches firmware updates.

Firmware providers could counter that by either making binary patching hard or by detecting modifications in likely areas of patches.

Reply to this note

Please Login to reply.

Discussion

No replies yet.