Security
Details of firmware security updates May 2022
More information about potential exploits fixed by the May 2022 firmware updates.
The latest Trezor firmware updates include fixes for potential vulnerabilities recently discovered internally, one affecting the Trezor Model T and three which affect the Trezor Model One. These fixes include a solution to a theoretical exploit discovered by Christian Reitter.
Summary of security fixes
Possible malware attack against Trezor Model T. This attack could use malware installed on the victim’s computer to have a user sign a legitimate-looking transaction, at which point they could exploit the RBF feature to cause the user to transfer all coins held in the account.
Ransom attack affecting altcoins on the Trezor Model One. This attack also requires malware on the user’s computer. The vulnerability waits for a user to generate a new address, which is then confirmed on the Trezor screen. An affected user will then not be able to see or spend funds sent to that address without the attacker’s assistance, creating a ransom opportunity for the attacker.
Soft-lock bypass on Model One. To carry out this exploit a malicious actor would require malware installed on the user’s computer. Then, with physical access to a device which has been left plugged in to the computer, an attacker could confirm any single bitcoin transaction without needing to enter a PIN.
Unconfirmed evil maid attack on Model One. With physical access to the victim’s Trezor, it is possible to downgrade to a vulnerable version and corrupt the device memory, without entering the PIN or damaging the Trezor. This in theory might allow the attacker to extract protected data.
This is a type of evil maid attack which could be carried out when the victim is briefly absent without leaving behind any signs of compromise. As it involves downgrading device firmware, the latest firmware version, 1.11.1 can not be downgraded, thereby neutralizing the attack.
What to do to stay protected
The exploits described above have not been seen deployed against any real users, they have been fixed proactively in order to prevent their possible use and their threat is negated by updating to the latest version of device firmware, as announced in our blog Firmware updates May 2022.
