How does this affect Trezor One?

The bech32_decode and the cash_decode issues only affect the firmware versions 1.6.2 and 1.6.3. Previous versions did not contain the problematic code or prevented the transfer of long address inputs to the device, which mitigates the issue. Both vulnerabilities can be used to trigger a remote shutdown of the Trezor One with the error message “Stack smashing” via browser-based or local attacks without additional user interaction.

How were the issues fixed?

Both bugs were fixed by preventing the out-of-bounds accesses in the code.

Timeline

2018–09–26: The bech32_decode issue and resulting buffer overflow are discovered and documented in SatoshiLabs-internal tracker, initial fix is suggested.

2018–09–27: Crash is reproduced on Trezor One hardware.

2018–09–28: Internal proof of concept for remote attack scenario.

2018–10–04: First attempt to inform Pieter Wuille.

2018–10–06: Second attempt to inform Pieter Wuille.

2018–10–11: First round of disclosure to affected projects. Initial contact with Pieter Wuille.

2018–10–13: Additional project is informed.

2018–10–14: Pieter Wuille confirms the bug.

2018–10–16: Additional project is informed.

2018–10–17: Additional projects are informed.

2018–10–18: Additional projects are informed.

2018–10–23: Proposed public disclosure release date: 2018–10–30

2018–10–24: Ledger is informed. The cash_addr.c vulnerability is

disclosed by Ledger to SatoshiLabs.

disclosed by Ledger to SatoshiLabs. 2018–10–25: Disclosure of cash_addr.c vulnerability to other affected projects, firmware update 1.7.1 is prepared and signed.

2018–10–26: Additional project is informed.

2018–10–30: Coordinated public disclosure.

Frequently Asked Questions

Is my Trezor One safe?

The described vulnerabilities can only be used to shut down your device. In addition, there is no evidence that either of the vulnerabilities has been used in practice.

Is Trezor Model T affected?

The Trezor Model T is not affected by these vulnerabilities.

I am about to buy a new Trezor One. Will it be affected?

Trezor devices are shipped without firmware preloaded, therefore latest available firmware will be installed upon the first use of the device. However, the Trezor Wallet will suggest installing version 1.6.3 during the next four weeks.

During that period you will need to obtain version 1.7.1 from our Trezor Beta Wallet. After this period is over, the latest firmware will be offered from the Trezor Wallet as well.

How to update the firmware?

At the time of writing, the new firmware 1.7.1 is optional and available from our the Trezor Beta Wallet. We encourage you to update, as this brings you the latest security fixes. For firmware 1.6.2 or 1.6.3, the update process is straightforward.

If you use older firmware (1.6.1 and older), you will first need to update to firmware 1.6.3. We have added a functionality to our Trezor Beta Wallet which will update your Trezor in two steps, if required.

Please note that if your Trezor One device is currently running firmware version 1.6.1 (bootloader version 1.4.0), your device memory will be wiped after this update. Please make sure you have the correct recovery seed with you, as you will need to recover your Trezor device from seed backup.

You can test your recovery seed before you update device firmware.

Why beta wallet?

Firmware update 1.7.1 is available from the beta wallet because it also includes a functionality change which replaces the HID communication protocol with WebUSB. This allows us to bring our web wallet to a much bigger range of devices such as Android Phones and Chromebooks. Although this change has been tested internally for several months without any problems, we are rather cautious in deploying big changes like this. After several weeks, this update will appear on our regular web wallet.

Are other hardware wallets affected?

Yes. As described previously, we have disclosed the issues to several affected vendors, which includes two hardware wallet vendors, and cooperated with them to resolve the bugs.

All hardware wallets based on the Trezor One design or trezor-crypto library are most likely vulnerable.

Revisions to this document