On June 25th, we released a firmware update for Trezor One devices, bringing new features and adapting the device to the structural changes of several cryptocurrencies. The firmware version 1.6.2 also contains two security fixes for issues discovered on May 25th, the details of which are going to be introduced in this article. We have opted to delay the release of the details for a number of reasons, but the main rationale was that the major aspects of these issues affect outdated firmware (1.6.0 and earlier) of Trezor One. The existing firmware 1.6.1, released on March 21st (prior to discovery of these bugs) had already partly mitigated these issues.

The main takeaway from this article is that you should always keep your Trezor device up-to-date.

There were two security fixes included in this firmware update. Both bugs were discovered and responsibly disclosed by Christian Reitter during the research of his master’s thesis under the supervision of Dr. Jochen Hoenicke (also a security researcher at SatoshiLabs) and Dr. Daniel Dietsch. The first one is a buffer overflow bug, affecting devices with firmware 1.6.0 and earlier. The second one is a stack overflow bug in the dry-run recovery, affecting devices up to firmware 1.6.1.

There is no evidence that either of the vulnerabilities has been used in practice.

Too long, did not read

Two important security issues were fixed in 1.6.2. All Trezor One devices should be updated to the latest firmware version.

The Trezor Model T is not affected by this vulnerability.

We would like to thank Christian Reitter, Dr. Jochen Hoenicke, and Dr. Daniel Dietsch for working with us during the discovery and the development of the patch for these bugs. Their work proves that Trezor remains under the closest scrutiny to the benefit of all Trezor users’ security.

Details about the vulnerabilities

What was the issue?

The security issues were discovered by Christian Reitter with the help of extensive fuzz testing during his academic research about Trezor One. As a result he discovered the two following bugs.

Buffer overflow

The first issue that Christian found is a buffer overflow. The bug can be exploited by an attacker who floods the device with data packets of a specific type. After a certain number of packets, the buffer overflows, allowing the attacker to write up to 60 bytes of data into a protected part of the memory. Depending on the memory layout the flaw can be escalated to arbitrary code execution (firmware 1.5.x), or has no consequences (1.6.0 and 1.6.1)

This bug affects mainly Trezor One devices with firmware version 1.5.2 and below. Since firmware 1.6.0 can be downgraded, it indirectly affects devices with this version as well. However, physical access to the device is required to perform this downgrade. Devices with firmware 1.6.1 are unaffected due to other changes to the firmware, which moved the protected part of the memory into a different section of the device.

The attack method requires the attacker to install malware on a host device (computer) of an unsuspecting Trezor owner to obtain sufficient access to the USB interface. The bug also cannot be triggered by a malicious, fake Trezor Wallet, because the Wallet does not have sufficient low-level access. The malware would have to be delivered via the Trezor Bridge, Chrome plugin, or other software.

There is no evidence that this vulnerability has been used in practice.

Stack overflow during dry-run recovery

Christian also found that there is a sufficiently large window in the dry-run recovery during which recursive packet handling behavior can be triggered, leading to a stack overflow. This bug affects all Trezor One devices with firmware version 1.6.1 and earlier. However, the exploitation of this bug is made more difficult by several additional safeguards that have been put in place during previous firmware releases.

To exploit this bug, the attacker would have to coordinate the stack overflow with the right data fields to overwrite important data. This is difficult as USB communication data is the first data that would be corrupted by a stack overflow, preventing an attacker from sending more USB packets. Since firmware version 1.6.1 the MPU is activated, and therefore SRAM is not executable (the device cannot run commands from the SRAM). Moreover, there is no easy way to debug the attack method on regular hardware, making it more difficult to create and test the exploit.

There is no evidence that this vulnerability has been used in practice.

How does this affect Trezor One?

Both issues affect devices with firmware version 1.5.2 and earlier. The buffer overflow can also be exploited on Trezor One with firmware version 1.6.0 but requires a forced firmware downgrade.

The stack overflow bug can be triggered on Trezor One with firmware version 1.6.1 and earlier.

How was the issue fixed?

The bug was reported via the responsible disclosure program. After determining that 1.6.1 was not affected by the more serious buffer overflow bug, we made the update to this version mandatory.

Both bugs were fixed by adding proper bounds checking and avoiding unbounded recursion. The fix was kept in a private repository until the new firmware 1.6.2 was ready.

How to update firmware?

First of all, please make sure you have your recovery seed with you when you perform the update. (Link to manual)

Go to Trezor Wallet and follow the update instructions shown on the screen. When prompted, replug your Trezor One device with both buttons plugged to start it in bootloader mode. Confirm the update procedure, and you will have a new firmware on your device.

Please keep in mind that if your Trezor is running firmware 1.6.1, it will be wiped during an update, due to an unrelated bug. If you do not have your recovery seed, make sure to retrieve it before starting the update process. If you are unsure about the correctness of your recovery seed backup, verify it using dry-run recovery.

If you are running firmware earlier than 1.6.1, please start the update process as soon as possible. Keep in mind that you might still need your recovery seed, as the memory might be erased due to failures (cable, data, computer) during the update process. You should always have your recovery seed available during the update process.

Timeline

2018–05–25: First discovery of both problems (almost at the same time).

2018–05–29: Fix for both vulnerabilities in private repository.

2018–05–30: Confirmation that first (more serious) vulnerability is exploitable on firmware 1.5.2 and not exploitable on 1.6.1.

2018–05–31: Testing of the new firmware begins.

2018–06–04: Researchers reached out to an US-based Trezor-clone hardware wallet.

2018–06–06: Contact with an US-based Trezor-clone hardware wallet established; vulnerability confidentially disclosed by researchers.

2018–06–25: Firmware 1.6.2 released.

2018–07–12: Publication of this disclosure.

Frequently Asked Questions

Is my Trezor One safe?

There is no evidence that either of the vulnerabilities has been used in practice. However, this may change after the vulnerabilities were disclosed and we urge our customers to update the firmware for all their Trezor One devices.

If your Trezor One is running firmware 1.6.2, your device is safe against all known attack vectors.

Is Trezor Model T affected?

The Trezor Model T is not affected by this vulnerability.

I am about to buy a new Trezor One. Will it be affected?

No, Trezor devices are shipped without firmware preloaded, therefore you will install the latest version.

I have an uninitialized Trezor One. What next?

If your device is not initialized yet, then please update the firmware first.

Do I really need to update?

Even though the vulnerabilities disclosed in this article have not been used in practice, we still recommend keeping your devices up-to-date at all times. Regular firmware updates are the key to a secure product.

Please, go to Trezor Wallet. If the Wallet tells you your firmware is outdated, please run the update process. The firmware update will update the bootloader as well.

What is the newest firmware and bootloader version of Trezor One?

Firmware: 1.6.2

Bootloader: 1.5.0

Are other hardware wallets affected?

An US-based Trezor-clone hardware wallet was affected by a different but related vulnerability. We disclosed the issues to their team and cooperated with them to resolve the bugs.

All other hardware wallets based on the Trezor One design are most likely vulnerable.