Crypto Twitter claims that cryptocurrency recovery solutions company Unciphered’s video of hacking into a Trezor T is
simply FUD. Users have detailed that Unciphered’s hacking method requires the attacker to physically hold the victim’s wallet before performing the exploit. Furthermore, users claim that all that is required to protect private keys is a strong passphrase.
I saw this coming from miles away. You thought Ledger would lose customers to Trezor without putting up a fight? 😂— Vlad is Breaking FUD (@TheVladCostea) May 24, 2023
Trezor’s vulnerability to physical access is a design choice to avoid using closed source security chips. You can mitigate it with a passphrase.
More FUD 😆 pic.twitter.com/bnxhncgX91
Some users contend that the hacking news has been misinterpreted and isn’t particularly important. Three years ago, Kraken Security Lab researchers discovered the Read Protection (RDP) Downgrade attack which exploited the physical vulnerabilities of Trezor devices to steal data. Trezor themselves have released a statement addressing the vulnerability, which is allegedly the same vulnerability exploited by Unciphered. As a result, people have categorized this exploit as old news.
It’s not really big news imo. This happened before and will happen again. I would recommend using a strong passphrase so that even if it happens to you (not likely) it won’t be game over— Udi Wertheimer 🧙♂️ (@udiWertheimer) May 25, 2023
On May 24, Unciphered announced that it cracked the Trezor T by satoshilabs. Unciphered has not revealed details about the specific attack they performed due to “current engagements and non-disclosure agreements” that restrict them to do so. Accordingly, Unciphered has criticized Trezor for not doing anything to fix the vulnerability of its hardware.
It's official we're the first to crack the @Trezor T by @satoshilabs.— Unciphered LLC (@uncipheredLLC) May 24, 2023
Unfortunately, it's unfixable at the chip level: https://t.co/42d7GgSNvl#btc #vulndev #cryptocurrency #badbounty
Three years ago, Kraken Security Labs discovered the physical vulnerabilities of Trezor. As a result, Trezor made efforts to fix the vulnerability, notably through its sister company Tropic Square. Interestingly, Unciphered has mentioned that this vulnerability has already been patched, and their exploit was on Trezor’s latest firmware.
Hi, check our official response to the Kraken findings on our blog. Using a passphrase fully mitigates the attack. Also, we are working with @tropicsquare on a solution that should bring a transparent secure element to Trezor to improve physical security. https://t.co/U1Mh6euNyg— Trezor (@Trezor) May 23, 2023
This news comes after Ledger’s controversial firmware update surrounding ‘Ledger Recover’. Users can use this feature to back up their secret recovery phrase and recover it in an emergency. However, users reacted angrily to this decision, claiming that the update compromised their data by introducing a backdoor.