Trezor, the hardware wallet supplier, is calling on new Trezor One owners to upgrade their firmware. This comes weeks after a user pin-pointed a security weakness on Trezor’s memory-write protection that indirectly secures the coin owners private keys. However, for clarification, there has been no exploitation of that security vulnerability which came to light in mid-February 2018.
Regardless, like all service providers, Trezor is taking precautions and urging Trezor One device holders to upgrade for automatic patching. Lest they forget, this upgrade requires use of the device’s recovery pass phrases.
Overly, there is no need of alarm as the vulnerability remains harmless and so far there is no exploitation of the same. Saleem Rashid through Trezor’s Responsible Disclosure Program, notes that whenever there is a deactivation of Trezor’s mem-write protection, the device behaved unexpectedly.
“I am very impressed by the incredibly rapid response from TREZOR. While it’s unfortunate the chip had this issue, SatoshiLabs has implemented an excellent fix. Not only do they fix the issue but also helps prevent other potential attacks.”
Luckily, this stain isn’t visible in Trezor Model T and as such owners need not to upgrade. Besides, even with the deactivation, hackers can’t access the user’s private keys.
Trezor Counter Measures
The new update will simply verify the firmware’s signature when it first confirms the authenticity of the device’s bootloader. This is because this potential security breach works when malicious software takes over and replaces the Trezor’s bootloader. In principle, hackers need to physically install a 3rd party app on the device before attempting to extract private keys.
To counter chances of the device tampering, Trezor is encouraging would-be purchases to check if the seals are intact. Additionally, they should only buy devices from Trezor-approved sellers.
There Is Room for Improvement
In my view, the industry is still nascent and there is still a long road ahead full of developments, flaws and perfection of some sorts. Irrespective of what happens before then, Trezor deserves credit. This is the one company that continues to drive adoption of Bitcoin and cryptocurrencies in general by providing a safe off line solution for coin holders to store their cache.
In this case, “coin storage” means Trezor is just a device that secures transaction signatures, private keys. In turn, these keys do sign or validate transactions within a cryptocurrency network as protocol demands.
To demonstrate, sending transactions within the Bitcoin legacy network will be null if the senders can’t access their private keys. With these keys senders can safely sign and irrefutably confirm that they are the originators of the transactions. After all, Bitcoin depends on Blockchain which in turn is just but a digital ledger of valid transactions.