Recently a physical attack vector on the Trezor One hardware wallet was disclosed by a security researched called Sunny, Trezor was quick to release a firmware update 1.6.1 but the researcher realized that another attack vector of the same type was possible so SatoshiLabs released the new firmware update 1.6.3 on the 30th of August.
Trezor comes with a tamper-evident seal and the attack vector only affects tampered devices, so if you bought your Trezor used or if it came with the seal broken, make sure you update the firmware first then set it up. If you’re updating an older Trezor, make sure to have the correct recovery seed on hand as you’ll need it to set it up.
The newest firmware verifies the authenticity of the bootloader in the device. The bootloader checks the signature of the firmware. If both are genuine, your device will not display a warning, and therefore your Trezor is safe to use.
Trezor upgraded their firmware shutting down a hardware exploit in their micro controller that allows an attacker to modify or replace the bootloader. Trezor confirmed that this vulnerability only affects devices that arrived with no tamper proof seal as this attack can only be done by having physical access to the device, nonetheless, they advised users to update their firmware just to be safe. Quote:
Today, on March 21st, we have released a new security update for TREZOR One devices. This update patches a physical security issue discovered in mid-February through our responsible disclosure program. There is no evidence that this vulnerability has been used in practice. Nonetheless, the new system will also verify the integrity of your TREZOR device, making sure it is safe to use.
We would like to take the time to detail the security improvements made to our firmware, initially detailed on the blog post New firmware update 1.4.1 available for the Nano S published on the 6th of March. Following a transparent and responsible disclosure process, we are giving a full detailed assessment of the fixed attack vectors that the Firmware 1.4 patches, which were initially reported by three security researchers.
As the publication of these technical details might elevate the threat level of non-patched devices, we strongly encourage our users to update their firmware by following our step by step guide.
Ledger released an important update to the Nano S with firwware version 1.4.1.
The release brings several functional and UX features and some important security fixes.