TREZOR, one of the most popular hardware wallet encountered a security concern on August 17, 2017. The security issue was brought to attention by an individual researcher, via Responsible Disclosure. An article was widely shared among the different cryptocurrency communities and social networks, describing a vulnerability.
Soon, a blog by SatoshiLabs addressing concerns about TREZOR firmware (1.5.2) was published. They acknowledged, while the description of the vulnerability was rather accurate, several important details and claims were not, thus contributing to the misinformation about TREZOR. Later, they released a security update to TREZOR on August 16, 2017; a new firmware version — 1.5.2 — was pushed out to all users. This update fixes a security issue which affects all devices with firmware versions lower than 1.5.2.
In continuation to the solution to the issue, they released a full report on the vulnerability and its fix, available in 1.5.2. A medium blog on Fixing physical memory access issue in TREZOR was published on August 18, 2017.
This report answers to most of the FAQ's related to this vulnerability like -
What was the main purpose of this security update?
How does the attack work?
How did we fix the vulnerability?
What about the already sold devices?
Why is the device memory not encrypted?
Responsible Disclosure Timeline
1-Aug-2017: Vulnerability discovered and reported
16-Aug-2017: Firmware 1.5.2 released
17-Aug-2017: Addressed concerns and misinformation about 1.5.2
18-Aug-2017: Report on the vulnerability published
For more updates, technical blogs and general discussion on Blockchain Technology and Ethereum, please join us at our Website, reddit, Facebook, Medium, steemit and follow us at Twitter. Please feel free to share this post, email us with your suggestions and connect at LinkedIn.