Earlier today, a concerning post on Medium, announced to the world that Trezor devices have a built-in vulnerability. This weak spot has something to do with the ability to physically open the plastic casing of the device and somehow booting it, circumventing pin and passphrase protection. If true, the Trezor vulnerability would render any device helpless once a hacker has the device in their hands. Trezor immediately wrote a response on its official blog, claiming that some of the arguments raised on the Medium post are inaccurate, and reassuring Trezor users that a new firmware version – 1.5.2 – will fix the vulnerability. Let’s assume for a second that the Trezor Vulnerability cannot be patched with the new firmware. What would it take for hackers to exploit this weakness?
Hackers and Thieves
The logistics needed to exploit the Trezor vulnerability are more complex than one would think. Hackers are usually great at breaking into computers, servers and other devices remotely, but they are not necessarily classic thieves. To exploit the Trezor vulnerability, hackers would need to become thieves, or conversely, thieves would have to become hackers.
Breaking and Entering to Exploit the Trezor Vulnerability
Nevertheless, let’s assume that hackers can become thieves overnight. The next part of the heist would involve locating devices to steal and hack into. This presents several challenges, some of which are logistical. Here is a brief, non-exhaustive list of these challenges:
- Hackers would have to locate devices, which means scanning the web for data about where those devices might be.
- This could involve breaking into Trezor’s delivery data base, or delivery data bases for companies such as DHL.
- Alternatively, hackers could locate specific users through use of social media and chatter about Trezor devices.
- Once hackers draw a map of plausible device locations, they would have to choose those close enough to them to check them out.
- Nothing guarantees that there are devices at these locations. Users could have ordered their devices to someone else’s place, or they might have moved since their purchase.
- In case any location does house a Trezor hardware wallet user, that user might be out and might have taken the device with them.
- Assuming the device is at the location, the hacker must wait until the user leaves the location to break in and steal it.
- If a hacker breaks into a location where there is a Trezor device and the user left the device behind while they are away, the hacker must go in, find the device and go out before the user comes back.
- Assuming the hacker succeeds and has a stolen Trezor in their hands, there is no guarantee that the contents of the device will allow them to break even on their venture. They might have invested a lot of time and effort to steal half a coin, exposing themselves to great danger in the process. Bummer!
Trezor Vulnerability Should Not Generate Widespread Panic
Therefore, this Trezor vulnerability should not generate widespread panic. Anyone who has a device, should take the additional precautions that Trezor advices them to, like updating to 1.5.2, and then take some additional measures to make sure the device is not readily available for a ninja hacker thief to steal it. Those who no longer trust their Trezor device in light of the concerning Medium post, can switch to another type of device like a Ledger. Maybe other devices are more resilient to physical break-ins.
Nevertheless, our gut feeling tells us that if a hacker discovered this Trezor vulnerability, it might be a matter of time until they discover a physical vulnerability on other devices. Logistics will always provide an additional layer of security. Nonetheless, no one should fool themselves into thinking that any layer of security is 100% ironclad. The best thing we can do at any level, is make it too expensive for hackers to achieve their goals. In this case, logistics play into the hands of the Trezor user, making it too expensive and risky for a hacker to take a chance.
Click here to read Trezor’s response to the hack.