Popular hardware wallet Trezor One recently announced firmware update 1.6.3. This is an important update which deals with the device’s security, among a few other changes.
1.6.3 is an expansion of a previous security update: 1.6.1. In their very recent blog post, Trezor states that “The security patch fixes the same physical attack vector as the one described in the aforementioned update. There is no evidence that this vulnerability has been used in practice”.
Trezor further explains that “the newest firmware verifies the authenticity of the bootloader in the device. The bootloader checks the signature of the firmware. If both are genuine, your device will not display a warning, and therefore your Trezor is safe to use”.
An anonymous security researcher notified Trezor about their 1.6.1 update, explaining that there were other attack possibilities still not solved by 1.6.1. The Trezor team used the suggestions to make further updates.
Trezor explains that current Trezor users (with already set-up and working devices) are unlikely to be affected by the same attack susceptibility. However, if a user has just recently purchased a Trezor One, then it is imperative for them to install or update the device with the most recent firmware before use.
Among other features, the Trezor One firmware update 1.6.3 also includes the addition of 80 more ERC-20 (Ethereum blockchain based) tokens that are now compatible with the device.
Trezor: History of security issues
It is important to note that there were prior security issues with Trezor firmware (1.5.2), leading to many users losing their funds in 2017. Previously, the public also raised questions (2017) about the hardware security of Trezor, stating that Trezor uses “non-secure chips made by STMicroelectronics”.
The Trezor team explains that “the STMicroelectronics chip STM32F205 used in the TREZOR One device contains a flaw, which effectively disables the write-protection employed to protect the bootloader of the device. This is an unexpected and undocumented behavior of the chip. Once the issue was disclosed and replicated, we immediately reached out to the chip manufacturer, STMicroelectronics”. Trezor worked with STMicroelectronics to resolve the issue.
It’s a positive sign to see that Trezor is making continued updates and efforts toward further security and customer care. For details on how to update your Trezor firmware and bootloader, click here.