Loading...

Follow Trezor Blog on Feedspot

Continue with Google
Continue with Facebook
or

Valid

More than two weeks passed since we greeted the New Year 2019. Most of you are probably already heavily committed to your New Year’s resolutions, but just in case you’re not, we have one more resolution for you.

2018 was a very turbulent and volatile year for the privacy and safety of internet users. The year is over and we can leave the past behind and start from the beginning. However, one thing that remains important is the security of your funds and your online identity. So why not go through your security habits and see if you can make any improvements in 2019. You can get inspired by one of our following tips.

1. Start using the Trezor Password Manager.

Do you reuse the same password over and over again on each website? Do you use simple passwords that are easy to crack? Perhaps it is time to leave it to the professionals. Trezor Password Manager allows you to store and manage your online credentials, generate complex passwords and automatically fill them in on the relevant websites. There is no vulnerable master password (which can be cracked and stolen) — just your Trezor device with its trademark security. No more remembering difficult passwords!

2. Get a spare Trezor Hardware Wallet.

If your Trezor device gets damaged or stolen, you can just start using your other device right away by importing your recovery seed to it. You can also use one Trezor for your funds and one for your passwords and digital identity. Having two hardware wallets and dividing your funds between them spreads the risk and gives you an additional layer of security.

3. Start using a strong PIN.

From now on, no more simple PINs such as “1234” or “0000”. Always create a unique PIN that can’t be guessed, and avoid using repeating numbers to increase your security. The PIN can be anywhere from 1 to 9 digits long. You can also use the first two lines of the randomly ordered Trezor PIN matrix — this will provide you with a totally random and uncrackable PIN.

4. Keep your recovery seed safe.

Always remember — your recovery seed is the essential part of your Trezor — keep it safe and never share it with anyone, don’t store it online, and never take photos or screenshots of your seed. If you want to keep your seed phrase safe from fire and physical damage, consider getting our undestroyable recovery seed backup made of stainless steel — Cryptosteel.

5. Subscribe to our newsletter.

Don’t worry, we won’t bombard you with marketing materials. We promise to deliver to our subscribers a wide range of information about the latest deals, security updates, news about the most recent firmware updates, and warnings against potential phishing attacks. Get your information straight from the source and subscribe on trezor.io.

Give yourself a New Year’s resolution to stay safe online with Trezor. was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

“Chancellor on brink of second bailout for banks “; these words appeared on the cover of the Times newspaper on 3 January 2009. The world economy was about to plunge head-first into the craziest global experiment, which would affect the lives of billions — all orchestrated by central banks.

While governments and central banks were trying to delay the collapse of the failing financial institutions during the time of the global financial crisis, a new invention emerged from the geekiest depths of the internet. Satoshi Nakamoto, the creator of Bitcoin, did not want to leave all of the decisions to central authorities of power.

Just two months after the Bitcoin White Paper appeared for the first time, Bitcoin network itself went online. The so-called Genesis Block was mined by the creator of Bitcoin, Satoshi Nakamoto, on the 3rd of January at 18:15:05 GMT. Bitcoin was born.

What did Bitcoin bring to the table?

For the first time, there is a public electronic payment system which allows the transfer of value from one user to another without the need of intermediaries. We now live in a world where anybody can grasp the control of one’s money into their own hands without fear of government intervention or corporate censorship.

The iconic 3 Jan 2009 cover of The Times source: thetimes03jan2009.com

Perhaps not surprisingly, ever since Bitcoin caught the attention of the general public and legacy media, it also attracted many critics who predicted the project to fail, die, and disappear.

Today, we can say that not only Bitcoin still continues disappointing the cynics, block after block, but the underlining infrastructure thrives and expands every day. We can confidently say that the brightest minds on the planet work tirelessly with the desire to bring individual financial freedom closer to the masses.

Be it the second layer solutions and sidechains, decentralized exchanges, or main net adoption around the world, there is a strong case for optimism and enthusiasm in years to come.

Breaking News: Bitcoin still kickin’ after 10 years! was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Trezor One: Firmware Update 1.7.2

Today, on December 18th, we have released a new firmware update for the Trezor One, this time with the number 1.7.2. This early holiday present brings you support for the OMNI layer. It is also a sign that the Trezor One keeps on being maintained and developed even as we are working on porting the Trezor Model T firmware back onto the Trezor One.

So let’s look at the details!

The Trezor One firmware update is available in Trezor Wallet (wallet.trezor.io)
OMNI layer (OMNI, MAID, USDT)

The support for the OMNI layer means that Trezor One is now capable of handling OMNI, MAIN, but also the stablecoin USDT — Tether.

U2F fixes

As a part of the update, we are also rolling out U2F fixes for the Trezor One. To be more specific, we have implemented a security fix for a vulnerability discovered by Christian Reitter. As the author reasserts himself, the vulnerability has no discovered practical use yet. For more details, read the technical explanation linked below:

Details about the security updates in Trezor One firmware 1.7.2

Miscellaneous changes

The Trezor One will also no longer ask you for your PIN, if you have just set one. It is a small cosmetic change, but it will make the initial setup flow a bit smoother.

About Us

Trezor Model T is the next-generation hardware wallet, designed with experiences of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.

Trezor One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.

SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly Trezor, the world’s first cryptocurrency hardware wallet, or CoinMap.org, the primary resource for bitcoin-accepting venues.

Trezor One: Support for OMNI layer was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

On Tuesday December 18th, we released the firmware update 1.7.2 for Trezor One devices. This is a release which brings support for sending OMNI assets. OMNI is a platform built on top of Bitcoin used by various cryptocurrencies such as Tether. It also fixes a security issue located in the U2F subsystem that we have discovered internally on November 26th.

Please note that several other vendors are also affected by this issue, which influenced aspects of our disclosure process. We would like to thank these vendors for their immediate response and willingness to release their updates so quickly.

The vulnerability consists of an information disclosure in the initial handshake of the U2F protocol which could potentially be leveraged to extract sensitive data. It was found during research by Christian Reitter (independent security researcher working closely with SatoshiLabs) in coordination with Dr. Jochen Hoenicke (security researcher at SatoshiLabs) and was immediately disclosed.

After assessing the impact on the Trezor One, Christian identified a number of external open-source projects which also used the affected data structure and began a coordinated responsible disclosure to inform them confidentially over encrypted and authenticated channels. During this process, we have worked with several projects to help them determine the practical impact on their project. All projects have agreed to the proposed coordinated disclosure.

There is no evidence that the vulnerability has been used in practice. However, we encourage everyone to keep their Trezor devices up-to-date at all times.

Details about the U2FHID_INIT_RESP information leak vulnerabilityBackground

The open Universal 2nd Factor (U2F) standard is a strong second factor security mechanism that helps user to keep their important accounts safe. Two factor authentication systems help in the unfortunate event that account credentials are e.g. stolen by malware. In this scenario, despite obtaining username and password, an attacker will be unable to derive the cryptographic key held within the U2F device and is blocked from authenticating successfully without it to sites that have this protection enabled.

The Trezor One enumerates as a standard U2F HID USB device to fulfill its role as a fully featured U2F hardware token. This functionality was developed on the basis of the C/C++ reference implementation for U2F by Yubico, one of the companies that created this security standard. This reference implementation defines essential data structures & protocol characteristics and is therefore used in parts for several other U2F implementations such as the Trezor One, and the affected data structure originates there.

At the beginning of each U2F session, host computer and U2F client device perform a basic two-way handshake before any cryptographic request such as a site authentication is issued. This handshake contains the information leak that is described in the following paragraph.

Issue

The C struct `U2FHID_INIT_RESP` represents the U2F message payload of the U2FHID_INIT handshake reply sent by the Trezor. It is intended to store 17 bytes as defined by the FIDO U2F HID specification. However, due to automatic optimizations related to memory layouts and address boundaries, this particular struct is transparently padded to a new size of 20 bytes by default during compilation. The resulting three additional bytes of hidden data are inaccessible through the regular struct fields, but the `sizeof()` value is increased. This configuration is referred to as an unpacked struct and compilers generally do this to speed up accesses. However, only a minority of structs will be padded, making this behavior easier to miss in practice.

In the `u2fhid_init()` function, `U2FHID_INIT_RESP` is used directly to assemble the message contents of the reply message, and during this process, every regular data field is overwritten with valid data. However, since the struct memory area was not cleared with zeros during initialization and the three hidden data bytes are never written to, these three bytes still contain the raw data that was present in this memory area during the struct initialization, which represents discarded memory of previous Trezor operations.

U2FHID_INIT_RESP resp;
// several write operations to the regular resp data fields
// [...]
memcpy(&f.init.data, &resp, sizeof(resp));

At the end of `u2fhid_init()`, the memcpy copies all 20 bytes including the problematic trailing bytes into the packet transmit buffer, from where they are transmitted over USB with each U2FHID_INIT packet.

Impact

The information leak consists of three memory bytes. The returned value have been observed to be stable between subsequent U2F handshake packets and device reboots, but can vary depending on previous actions on the Trezor. This behavior suggests that particular memory contents such as the existing stack protection defense mechanism are likely not impacted. Additionally, Trezor functions that handle sensitive data are designed to scrub the memory areas of the relevant variables before discarding them, which reduces the probability that the information leak can directly expose sensitive data. This can be seen as a mitigating factor, but we are taking no risks and have moved forward to release a patched firmware as soon as possible. This is also motivated by the fact that the problematic function can be invoked without any form of authentication and is not protected by the PIN, because of the U2F design.

Please also note that due to memory layout differences, the exact leak behavior will differ between firmware versions and vendors.

How does this affect the Trezor One?

The described vulnerability can be used by an attacker with local access to the U2F interface to read a small area of previously discarded memory of the Trezor One. During research, we have so far been unable to escalate this to any meaningful compromise or exposure of sensitive data.

How was the issue fixed?

The bug was fixed by correcting the memory layout of the affected struct via the __attribute__((packed)) and overwriting it with zeros upon initialization.

Timeline
  • 2018–11–26: U2FHID_INIT_RESP information leak is discovered
  • 2018–11–30: Advance notice to vendor #2
  • 2018–12–05: Disclosure to vendor #2
  • 2018–12–12: Disclosure to vendor #3
  • 2018–12–15: Disclosure to vendor #4 (no practical impact)
  • 2018–12–18: Coordinated public disclosure
Frequently Asked QuestionsIs my Trezor One safe?

The described vulnerability can be used to read a small area of discarded memory. During research, we have so far been unable to escalate this to any meaningful compromise or exposure of sensitive data. In addition, there is no evidence that this vulnerability has been used in practice. However, we encourage everyone to keep their Trezor devices up-to-date at all times.

Is Trezor Model T affected?

The Trezor Model T is not affected by this vulnerability.

I am about to buy a new Trezor One. Will it be affected?

No. Trezor devices are shipped without firmware preloaded, therefore latest available firmware will be installed upon the first use of the device.

How to update the firmware?

At the time of writing, the new firmware 1.7.2 is optional and available from our web wallet. We encourage you to update, as this brings you the latest security fixes. For firmware 1.6.2, 1.6.3 or 1.7.1, the update process is straightforward.

If you use older firmware (1.6.1 and older), you will first need to update to firmware 1.6.3. We have added a functionality to our web wallet which will update your Trezor in two steps, if required.

Please note that if your Trezor One device is currently running firmware version 1.6.1 (bootloader version 1.4.0), your device memory will be wiped after this update. Please make sure you have the correct recovery seed with you, as you will need to recover your Trezor device from seed backup.

You can test your recovery seed before you update device firmware.

Are other hardware wallets affected?

Yes. As described previously, we have disclosed the issues to several affected vendors, which includes two hardware wallet vendors, and cooperated with them to resolve the bugs.

All hardware wallets that include the U2F code of the Trezor One are most likely vulnerable.

Revisions to this document
  • 2018–12–18 14:00 CET: Original release.
About SatoshiLabs

Trezor Model T is the next-generation hardware wallet, designed with experiences of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.

Trezor One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.

SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly Trezor, the world’s first cryptocurrency hardware wallet, or CoinMap.org, the primary resource for bitcoin-accepting venues.

Details about the security updates in Trezor One firmware 1.7.2 was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

We are incredibly proud to announce that we now offer a native interface for Ethereum, Ethereum Classic, and ERC20 tokens in the beta version of Trezor Wallet (beta-wallet.trezor.io).

Although these cryptocurrencies have been supported by Trezor for a long time, they were available only via third-party integrations, such as MyEtherWallet, MyCrypto and MetaMask. For the fans of these services — do not worry, the integrations still work and we have no plans to change that.

Additionally, we have added Coinswitch as a new partner into our Exchanges.
How does it work?

It is quite simple, really. Thanks to our trademark premium user experience, your ethers are just a few clicks away. Select Ethereum or Ethereum Classic in the currency selector, located in the top-left corner, and proceed by clicking on “Go to Trezor Ethereum Wallet.” Then, you can start using the new interface right away.

If you were previously using any of the third-party integrations and are already protecting your ethers with your Trezor, you will see your balance immediately.
Summary — view your account balance and select your tokens

In this tab, you can see the total balance and the current exchange rate in a fiat currency of your choice. You can also use this tab to add a token of your choice to your wallet, and keep track of your balances for the selected tokens.

Receive, Send

These sections function very similarly to what you are used to. Use the Receive tab to display your receiving address either in the text form or in the form of a QR code. Always remember to verify the address on your Trezor device.

The Send tab allows you to set outgoing transactions and transaction fees. In the advanced settings, you can set the Gas limit, Gas price and add additional data to the transaction.

User manual

For more instructions, see the User manual in this Trezor Wiki article.

Native support for Ethereum, Ethereum Classic and ERC20 tokens available in Trezor Beta Wallet was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Trezor Blog by Satoshilabs - 1M ago

33% off and a free silicon case on Model One, or get 3, pay only 2 for Model T. Do not wait too long, the offer is limited!

Are you hesitating about the best time to buy Trezor, the most trusted hardware wallet? Not sure what to get your loved ones for Christmas? Now that our Black Friday special offer is here, you do not have to wait any longer.

On Black Friday, we offer you two unbeatable deals. Get 3 pieces of our new generation hardware wallet Trezor Model T and pay only for 2. This way you can keep two for yourself (one as a security back up) and use one as a great Christmas gift for your friends or family — way ahead of all the Christmas hustle when deliveries take long weeks, and the shops are crowded.

If you prefer the original, minimalistic and time-proven Model One, you have the chance to get it with an incredible 33% discount and a free silicone case. The number of silicone cases is limited, so do not wait too long. Our offer is only valid from Friday 23 until Sunday 25 midnight CET. Do not miss out on this opportunity before it is too late!

Enjoy our best deal of 2018. And remember: stay secure with Trezor!

About Us

TREZOR One is the most trusted and ubiquitous hardware wallet in the world. It offers an unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.

SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly TREZOR, the world’s first cryptocurrency hardware wallet, or CoinMap.org, the primary resource for bitcoin-accepting venues.

Links

TREZOR: trezor.io
TREZOR Shop: shop.trezor.io
TREZOR Wallet: wallet.trezor.io

BLACK FRIDAY deal of the year was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
[PSA] Non-genuine Trezor One devices spotted. Be careful, buy only from Trezor Shop or authorized resellers.

“Imitation is the sincerest form of flattery.” — you have probably heard this proverb before. We have experienced it first-hand, as Trezor clones have been released over the years of our activity. However, in recent weeks, we have discovered something more startling. A one-to-one copy of Trezor One. In other words, a fake Trezor device, manufactured by a different, unknown vendor.

While Trezor clones are marketed under a different name, manufactured by (legitimate) legal companies, allowing you to distinguish them from the original, a fake Trezor tries to replicate the original to the bone. It seeks to be as indistinguishable from the original as possible. It is not dissimilar to counterfeit brand clothing.

Similarly to clothing fakes, a fake Trezor One is often sold at a steep discount. This should act as the first red flag. Others will be described below.

More importantly though, let’s have a look at why fake Trezor devices can be a severe threat to your security. As we did not manufacture the device, we cannot guarantee its function. These fake devices are thus unsuitable for secure storage of cryptocurrencies and other digital assets.

You would not entrust your money to somebody who has already cheated you by selling you a different product than you thought you were buying. We, therefore, recommend not to use this device and report it to us, which would help us fight these scams and provide you with a legitimate device.

As soon as we learned about the existence of Trezor fakes, we have started to fervently pursue a number of legal and other steps to prevent those fakes from being produced and distributed, in order to protect you, our customers.

How to check if your device is genuineThe hologram

We are warning our customers about the hologram when logging for the first to the wallet.trezor.io.

If you suspect you have bought a fake Trezor One device, do not use the device and contact our support immediately.

Original hologram seal (above) in contrast with fake hologram seal (below)A fake Trezor Box (on the left) in contrast with Original Trezor Box (on the right)How to shop for a genuine Trezor One device

The simplest way to procure your genuine Trezor One is to buy it at the official Trezor shop, official Amazon shop or from official resellers. Be very cautious when buying on other marketplaces, such as eBay, Taobao, AliExpress, unknown Amazon resellers or other places. If you are not sure about the authenticity of the seller or the channel, always proceed with the official channels. You can find more information about the security elements both for Trezor One and Trezor Model T on our Wiki.

[PSA] Non-genuine Trezor One devices spotted. was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview