Firmware Updates for Trezor Model T (version 2.3.3) and Trezor Model One (version 1.9.3)
by Anthony Allen
We have just launched our latest firmware updates for the Trezor Model T (firmware 2.3.3) and the Trezor Model One (firmware version 1.9.3). These updates are not mandatory but it is still recommended that you update your device, as the latest updates contain a security improvement related to how you use your passphrase. Read on for more information about this and other enhancements.
Passphrase
For both Trezor device models, we have improved the passphrase feature to take advantage of Trezor’s on-device confirmation. This offsets a previously known issue, reducing the chance of a host substituting a different
passphrase.
In such a hypothetical scenario, malware could direct you to a wallet obscured by a passphrase that you don’t actually know, and lock your funds there until you pay a ransom.
Now instead, you will be prompted by a warning on your Trezor screen that your passphrase will be shown, so you can make sure no-one is looking over your shoulder before you display it. Afterward, you will be able to check your passphrase on the screen of the device.
These prompts are not shown when you enter the passphrase directly on Trezor Model T’s touchscreen.
The screenshots below show this two-step process as it will appear on your screen:
This issue was pointed out by Marko Bencun of ShiftCrypto and we’d like to thank him for another responsible disclosure!
Because of the coordinated disclosure date set by Marko with the other wallet manufacturers, we were asked to wait until today so that everyone could come up with a fix before we launched our own, to prevent malicious actors from exploiting our competitors’ systems.
Hard limit on transaction fees
We have introduced a new safety mechanism for the Model T to avoid users accidentally sending a transaction with very high transaction fees. Previously, a ‘soft’ limit was in place, where a warning would display on your Trezor and in your browser. This required confirmation from the user but could be accidentally overlooked.
The hard limit will fail a transaction that exceeds a threshold ten times larger than that of the soft limit. Users will be shown an error message reading “Failed to send transaction. Error: The fee is unexpectedly large”. The limit is based on the transaction size (number of inputs and outputs). For a common small Bitcoin transaction, the soft limit is about 0.005 BTC, while the hard limit is 0.05 BTC, ten times higher. All other Bitcoin-based altcoins to which this applies are set with a soft limit equivalent USD value of $10, and a hard limit of $100.
Disabling this hard limit is possible but not recommended. If you must disable it, please refer to our guide to trezorctl under the heading safety-checks.
General Housekeeping
Users who try to customize their Trezor Model T using images of the wrong size or format will now be shown a warning that the image is invalid, fixing an issue that could cause the device to loop indefinitely. A feature has also been implemented on the Model T which will display the name of the coin when signing or verifying messages.
Derivation paths for Bitcoin Cash have been re-enabled for both devices as there is network replay protection against misusing the chains. Meanwhile, in a minor change to the UI, non-ASCII characters will now be represented by a question mark on a white background instead of an underscore. We have also cleaned up our supported coins list to remove coins which no longer exist or have been inactive for a long period, and have fixed issues with the Crown coin’s addresses.
That’s all for this month. For a full changelog please refer to our Github pages for the Trezor Model One and Trezor Model T, where you can find out more details about each specific change. If you have a change request to make, get in touch; we’d love to hear from you.
