Details about the security updates in Trezor One firmware 1.7.1

Last week Trezor released firmware 1.7.1 for the Trezor One, along with the functionality improvements some security patches came up, they fixed bugs that they learned about in Sept 26th and Oct 24th.

The first bug was reported by independent security researcher Christian Reitter in coordination with Dr. Jochen Hoenicke, they found this bug affecting a number of open-source projects including Trezor One and other hardware wallets, after disclosing this bug to Ledger, Ledger notified SatoshiLabs that they had found independently another variant of this bug and was reported back to Trezor.

The bugs are in two functions, bech32_decode and cash_decode , there are a few lines that cause a buffer overflow if the input is between 85 and 90 characters and does not contain the character 1, these buffer overflows were detected on Trezor and could only be used to trigger a remote shutdown of the Trezor, no funds are in any danger by these bugs.

Trezor urges its community to update their firmware to the newest one and note that this update will cause your memory to be wiped out if you’re currently on firmware 1.6.1 or older, so make sure you have your recovery seed on hand.

Comments powered by Talkyard.