Securely storing digital assets is a major concern for most cryptocurrency users. Wallets can be vulnerable to attack and while there are ways to protect yourself, not all users are as vigilant as others. For this reason, many people — including myself — have suggested using hardware wallets for storage because of their offline nature and robust security features. However, a recent post on Medium suggests that even these devices are not immune to attack. One of the most popular hardware wallets, Trezor, apparently was vulnerable. But how much do Trezor users need to worry?
Worrying, but not Damning
The original post claimed that all Trezor devices were vulnerable to a fairly simple hack that allowed private keys to be stolen from the device. As we all know, private keys control coins, so you need to be in control of your keys if you want to ensure you own coins. If this vulnerability were exploited, then all the coins kept on the Trezor would be stolen from the device’s owner. The largest limitation to this attack is that it requires physical access to the hardware wallet itself. This means that there may have been relatively few potential victims, since many people who have hardware wallets keep them inside a safe or vault.
Trezor’s official blog addressed the issue and described how the attack worked. The seed for the private key is saved in flash memory and is moved to RAM during use. Someone with access to the device and the firmware would have been able to extract the seed from the device’s RAM. Trezor has released a firmware security update (1.5.2) to address these issues and to close all known vulnerabilities. The company has urged all users to update their firmware to protect themselves fully, even though the chance of an attacker gaining physical access to one’s device is pretty low already.
A Bit of Controversy
Both Trezor and the author of the original Medium post have accused each other of misrepresenting the situation and spreading misinformation to the public. The original post claimed that all current devices would need to be replaced to fully address the problem and that a firmware update would not sufficiently address the issue. Trezor maintains that this was not true and that its update renders all Trezor devices safe. The original poster has promised to release more information soon, so we will need to wait for their rebuttal to Trezor’s most recent response.
What Does This Mean for Users?
If you are a Trezor user, it means you need to update your firmware as soon as possible. The vulnerability appears to be unique to Trezor devices, so this does not affect you if you have a Ledger or other device. However, it does dispel the myth that hardware wallets are immune to attack. While Trezor responded and fixed the problem quickly, it shows that users of hardware wallets do need to be vigilant and stay up to date on firmware and potential threats. This was not a remotely executed attack as it required the actual device, so things could have been a lot worse.
Remember, you alone are responsible for your private keys and the safety of your cryptocurrency assets. Take the necessary precautions, do your research, and keep yourself safe.