TREZOR Security Series: Article 2 — Tamper-evident Packaging

For most of the companies, the packaging is just a way how to underline their product, sell it to more customers and present it best-looking way possible. We at SatoshiLabs believe that it should be more than a fancy box. Good looks alongside with high functionality. As a manufacturer and developer of a security device, we need to make sure that your TREZOR will not be tampered with on its way. Or at least you would be able to immediately recognize such incident straight away and act accordingly.

List of tamper-proof protection levels

In security design, a tamper-evident hologram or holographic seal makes unauthorized access to the protected object easily detected. A package with TREZOR One is protected by two silver seals on both sides and is wrapped in a thin plastic foil (removed on attached pictures). The packaging is carefully sealed with a strong glue.

Note that it's impossible to open the box without tearing the box apart.

Anybody trying to tamper with the device would first need to detach the hologram and destroy the box. This will completely destroy the hologram and leave a residue. A device with a missing, destroyed hologram or a glue residue should be deemed as tampered. In such case, please contact our Support Team.

Holographic seals compared

The evolution of packaging

As our hardware and software evolves, the packaging itself is reagularly updated too. For example, following photos demonstrate how holographic seals become more complex and harder to imitate.

Current packaging of TREZOR One

Holographic seals compared

Apart from the physical tamper-evident hologram, our devices also use software safeguards against tampering. The device firmware and bootloader are signed by SatoshiLabs, and these signatures are checked whenever you start the device. The TREZOR will warn you if the signatures are invalid. Apart from that, we dispatch all of our devices without preinstalled firmware. Therefore your can conveniently check that there isn’t a preinstalled malicious firmware.

If your the box containing TREZOR device arrives intact, is protected with holograms, and the device does not show any warnings during the boot stage, you can consider that nobody modified your TREZOR One during the transport.