Last week we released the firmware update 1.8.0 for Trezor One devices, and today we’re proud to release the firmware update 2.1.0 for Trezor Model T devices. Apart from various functional improvements and minor fixes, these updates address and fix three notable vulnerabilities found in recent months.

If you want to learn about the in-depth technical details of these security updates, check out the separate Dev Corner article here.

Patching security issues is always a challenging but positive experience, and we truly appreciate the knowledge brought to this conversation by everyone who worked with us. We worked with some of the best-known experts in the field of embedded hardware security demonstrating Trezor is an essential part of both the open source hardware and Bitcoin communities, and we aim to remain the innovation leaders in these two areas. Communication with all involved parties was very professional and focused on a common goal: improving the overall security of the solutions we provide to our users.

“The latest firmware update required a lot of architectural changes and our dedicated team worked around the clock to devise and implement them. These changes also opened new doors for further improvements. I’m confident to say that Trezor has one of the most innovative teams in the industry and I am very happy I can work with them.” - Stick, SatoshiLabs CTO

Summary and the key takeaway.

Exploiting either of these vulnerabilities requires physical access to the device. An attacker also needs a specialized hardware connected to Trezor device to perform the attack. Those who use passphrases to protect their wallets are unaffected unless they disclosed their passphrase to the perpetrator. At the time of writing this article, there is no evidence that any of these vulnerabilities have ever been exploited outside of the lab to extract any data. As always, we strongly recommend keeping all Trezor devices updated with the latest firmware to maintain the maximum level of security.

Frequently Asked Questions

Is my Trezor safe?

The previously described vulnerabilities can only be exploited after gaining physical access to your device (and taking it apart). Both attacks are fairly sophisticated, requiring substantial know-how and experience. Some of the crucial information needed to exploit these vulnerabilities has never been published. Furthermore, if you use a strong passphrase to protect your wallet, you can’t be affected by any of them.

Is Trezor Model T affected?

There is no evidence that the Trezor Model T could have been directly affected by these vulnerabilities. Nonetheless, our developers made the appropriate updates to the Trezor T code to mitigate any possible future risks, even hypothetical ones.

How can I update my Trezor?

You will find the step-by-step instructions in our User manual. Before you start, make sure to have your recovery seed ready at hand.

Please note that if your Trezor One device is currently running firmware version 1.6.1 (bootloader version 1.4.0), your device memory will be wiped after this update. Please make sure you have the correct recovery seed with you, as you will need to recover your Trezor device from seed backup. You can test your recovery seed before you update the device firmware.