top | item 35955255

(no title)

KryDos | 2 years ago

Does it mean that at the moment of releasing 2.0.4 the Trezor team already knew there is a fake firmware circling around?

I wonder if Trezor team communicated that in some maybe different way than that line in the CHANGELOG. Not blaming them of course, just wondering.

discuss

grumple|2 years ago

From 2018: https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64...

From their forum earlier this year: https://forum.trezor.io/t/protect-from-getting-a-fake-trezor...

lxgr|2 years ago

None of the methods proposed by Trezor would frustrate the attack mentioned in the article:

Validate the holograms: Most users aren't forensic experts and don't have an authentic physical sample to compare their evaluation target to, only photos of one.

Only buy from authorized resellers such as the official Amazon shop: Fake products have been introduced into Amazon's supply chain before [1].

The bootloader validates the firmware and displays a warning otherwise: Sure, but so does the fraudsters' bootloader.

[1] https://www.redpoints.com/blog/amazon-commingled-inventory-m...

londons_explore|2 years ago

If I were Trezor and became aware of a fake firmware, I would:

* Offer rewards to anyone able to send me the fake devices or clues who is making them.

* Tell my clients to upgrade the firmware on devices before use. Make sure every new firmware is distinctive in some way - for example the boot screen, and tell the users to check for that to ensure they are actually running the firmware they thought they just flashed.

StingyJelly|2 years ago

More sophisticated version of the malicious firmware could try to patch the new ota firmware image on the fly. Once compromised - always compromised.

radicaldreamer|2 years ago

Seems like this could also be an insider threat where someone at Trezor knew all the BOM details and could pull this off