A developer has acknowledged that a malicious firmware update can “exfiltrate” the seed and record the passphrase of a Trezor device.
This revelation emerged during a discussion on Trezor’s official forum. It is weeks after the Ledger Recover feature suggestion that drew even more concern about the security of assets stored in popular hardware wallets.
Trezor confirmation
The developer emphasized that although open-source software allows for global community scrutiny and the use of hashes and signatures to verify authenticity, these measures do not eliminate the possibility of harmful code being included in an official software release.
He said:
“The firmware running on your Trezor must have access to private keys – otherwise, it could not sign your transactions. That means if the firmware turned malicious, it could exfiltrate the private keys. The only way to prevent that would be to freeze the device so that it could never be updated – and pray that there aren’t any problems in the frozen version already.”
The concern raised by the official Trezor representative is that by the time the community identifies such malicious activity, it could already have caused significant damage to users. Additionally, uncertainties exist regarding potential future governmental actions and policies toward cryptocurrencies, which may impact companies in this space.
These comments have generated concerns among Trezor users, calling for increased transparency regarding the company’s security practices. Suggestions have been made for users to explore hardware wallets from alternative manufacturers. Trezor has asserted its commitment to security and expressed its willingness to collaborate with the community to address any potential risks.
Ledger lambasted for suggesting “Recover” feature
In May 2023, Ledger announced “Ledger Recover” for users to extract their private keys and store them on an external server. Ledger and a third-party custodian were tasked with keeping assets’ private keys.
Despite the assurance from Ledger that private keys would be secure, critics said client assets could be compromised should the third-party server be compromised, placing billions of assets at risk.
At the same time, critics pointed out the decision by Ledger to demand clients submit government-issued identities to access the feature.
In 2020, Ledger experienced a security breach that resulted in the theft of over 270,000 physical addresses belonging to their clients.
