Open in app

Sign up

Sign in

Write

Sign up

Sign in

Details about the security updates in Trezor One firmware 1.7.1

SatoshiLabs
Trezor Blog
Published in
7 min readOct 30, 2018

--

On Monday October 29th, we released the firmware update 1.7.1 for Trezor One devices. Besides functional improvements, it contains security fixes for two related issues that we learned of on September 26th and October 24th, respectively.

Due to defensive techniques present in the firmware, the memory corruption triggered by both vulnerabilities activates a controlled shutdown of the Trezor One. This prevents a more dangerous outcome. Consequently, these issues only represent a remote denial of service attack which does not impact the security of the stored data.

Please note that several other vendors are also affected by these issues in different ways, which significantly influenced our disclosure process.

The first vulnerability is a buffer overflow present in the bech32_decode function which is contained in code written by Bitcoin Core developer Pieter Wuille. It was found during fuzz testing research by Christian Reitter (independent security researcher working closely with SatoshiLabs) in coordination with Dr. Jochen Hoenicke (security researcher at SatoshiLabs) and immediately disclosed.

After assessing the impact on the Trezor One, Christian identified a number of external open-source projects which also used the affected function and began a coordinated responsible disclosure to inform them confidentially over encrypted and authenticated channels. During this process, we have worked with several projects to help them determine the practical impact on their project. Pieter Wuille has confirmed the bug. All projects have agreed to the proposed coordinated disclosure.

After disclosing of the bech32_decode issue to Ledger in a later stage of the disclosure process, Ledger notified SatoshiLabs that they had found this issue independently and disclosed a second variant of the vulnerability in the cash_decode function. This function is present in bech32-derived code in the trezor-crypto library, and therefore relevant to Trezor-based projects. Similar to the bech32_decode issue, this buffer overflow is reliably detected on the Trezor One and can only be used to perform a denial of service attack. We thank Ledger for informing us about this issue.

There is no evidence that either of the vulnerabilities has been used in practice. However, we encourage everyone to keep their Trezor devices up-to-date at all times.

Details about the vulnerabilities

bech32_decode

The C reference implementation for bech32 by Pieter Wuille has an unsigned integer overflow that can lead to a buffer overflow. The problematic statements are:

hrp_len = input_len — (1 + *data_len);
if (hrp_len < 1 || *data_len < 6) {

If the address input string does not contain the separator ‘1’, *data_len is equal to input_len and hrp_len would be assigned to -1. However, hrp_len, input_len, etc are declared as unsigned (size_t), so hrp_len is really set to MAX_UINT, which is a large number. This causes the corresponding if-condition for the error case (which is validating the result) to fail and the malformed nature of the input is not immediately detected. The following loop then copies input to hrp. This loop bails out when the null-terminator is found, limiting the number of bytes that are written.
The problematic case is if the input is between 85 and 90 characters in length (longer inputs are not accepted) and does not contain the character ‘1’. In this case the whole input is copied, which can be up to 90 bytes, however, the function segwit_addr_decode() only reserves 84 bytes for hrp, causing out-of-bounds writes of a limited value range.

cash_decode

The cash_decode function in the trezor-crypto library allows an out-of-bounds write in the following statements:

if (i + 6 < input_len) {
    data[i — (1 + hrp_len)] = v;
}

The if-condition is there to not copy the checksum to the output. However, cashaddr uses 8 character checksum, so the value 6 (which comes from the BIP-173 code) is incorrect. The code only skips the last six bytes and copies two bytes from the checksum, which can overflow the output buffer.

How does this affect Trezor One?

The bech32_decode and the cash_decode issues only affect the firmware versions 1.6.2 and 1.6.3. Previous versions did not contain the problematic code or prevented the transfer of long address inputs to the device, which mitigates the issue. Both vulnerabilities can be used to trigger a remote shutdown of the Trezor One with the error message “Stack smashing” via browser-based or local attacks without additional user interaction.

How were the issues fixed?

Both bugs were fixed by preventing the out-of-bounds accesses in the code.

Timeline

  • 2018–09–26: The bech32_decode issue and resulting buffer overflow are discovered and documented in SatoshiLabs-internal tracker, initial fix is suggested.
  • 2018–09–27: Crash is reproduced on Trezor One hardware.
  • 2018–09–28: Internal proof of concept for remote attack scenario.
  • 2018–10–04: First attempt to inform Pieter Wuille.
  • 2018–10–06: Second attempt to inform Pieter Wuille.
  • 2018–10–11: First round of disclosure to affected projects. Initial contact with Pieter Wuille.
  • 2018–10–13: Additional project is informed.
  • 2018–10–14: Pieter Wuille confirms the bug.
  • 2018–10–16: Additional project is informed.
  • 2018–10–17: Additional projects are informed.
  • 2018–10–18: Additional projects are informed.
  • 2018–10–23: Proposed public disclosure release date: 2018–10–30
  • 2018–10–24: Ledger is informed. The cash_addr.c vulnerability is
    disclosed by Ledger to SatoshiLabs.
  • 2018–10–25: Disclosure of cash_addr.c vulnerability to other affected projects, firmware update 1.7.1 is prepared and signed.
  • 2018–10–26: Additional project is informed.
  • 2018–10–30: Coordinated public disclosure.

Frequently Asked Questions

Is my Trezor One safe?

The described vulnerabilities can only be used to shut down your device. In addition, there is no evidence that either of the vulnerabilities has been used in practice.

Is Trezor Model T affected?

The Trezor Model T is not affected by these vulnerabilities.

I am about to buy a new Trezor One. Will it be affected?

Trezor devices are shipped without firmware preloaded, therefore latest available firmware will be installed upon the first use of the device. However, the Trezor Wallet will suggest installing version 1.6.3 during the next four weeks.

During that period you will need to obtain version 1.7.1 from our Trezor Beta Wallet. After this period is over, the latest firmware will be offered from the Trezor Wallet as well.

How to update the firmware?

At the time of writing, the new firmware 1.7.1 is optional and available from our the Trezor Beta Wallet. We encourage you to update, as this brings you the latest security fixes. For firmware 1.6.2 or 1.6.3, the update process is straightforward.

If you use older firmware (1.6.1 and older), you will first need to update to firmware 1.6.3. We have added a functionality to our Trezor Beta Wallet which will update your Trezor in two steps, if required.

Please note that if your Trezor One device is currently running firmware version 1.6.1 (bootloader version 1.4.0), your device memory will be wiped after this update. Please make sure you have the correct recovery seed with you, as you will need to recover your Trezor device from seed backup.

You can test your recovery seed before you update device firmware.

Why beta wallet?

Firmware update 1.7.1 is available from the beta wallet because it also includes a functionality change which replaces the HID communication protocol with WebUSB. This allows us to bring our web wallet to a much bigger range of devices such as Android Phones and Chromebooks. Although this change has been tested internally for several months without any problems, we are rather cautious in deploying big changes like this. After several weeks, this update will appear on our regular web wallet.

Are other hardware wallets affected?

Yes. As described previously, we have disclosed the issues to several affected vendors, which includes two hardware wallet vendors, and cooperated with them to resolve the bugs.

All hardware wallets based on the Trezor One design or trezor-crypto library are most likely vulnerable.

Revisions to this document

  • 2018–10–30 14:49 CET: Original release.
  • 2018–10–30 16:03 CET: Rephrased “I am about to buy a new Trezor One. Will it be affected?” section to be more accurate.
  • 2018–10–30 17:28 CET: Correct the details about “cash_decode” issue.
  • 2018–10–31 02:24 CET: Stylistic edits and emphasis added.

About Us

Created by SatoshiLabs in 2014, the Trezor One is the original and most trusted hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, and serves as the second factor in Two-Factor Authentication. These features combine with an interface that is easy to use whether you are a security expert or a brand new user.

Trezor Model T is the next-generation hardware wallet, designed with the benefits of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.

Bitcoin
Trezor
Security
Firmware
Updates

--

--

SatoshiLabs
Trezor Blog
Follow

Written by SatoshiLabs

12.2K Followers

Innovating since we founded the industry in 2013 with production of the first crypto hardware wallet, the Trezor One. Open-source, secure, community-driven.

Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams