In this article, we'll look into Trezor's security and answer the question: Was Trezor ever hacked?
Trezor is, besides Ledger, one of the market's most known and used hardware wallets to keep your Bitcoin and other currencies safe. Trezor offers great products and excellent security features. You can choose from two models: Trezor Model One and Trezor Model T.
You can read a detailed comparison between the models in our detailed Trezor One vs. Trezor Model T comparison.
Let's have a closer look if Trezor was hacked!
The short answer is Yes, but there is much more to explain about the nature of the attacks. Let's first quickly look at the security features of Trezor devices.
Trezor Security Features
Private keys always remain offline, even if the wallet is connected to a device with an internet connection. The private key is stored on the microprocessor.
The recovery phrases or seeds are 12, 18, or 24 words long.
The wallets are protected with a PIN code. The PIN is 4 to 9 digits long, and the device resets after multiple failed attempts to enter the personal code.
Trezor has open-source software.
For that reason, Trezor devices do not use secure hardware elements* because there is tech involved that is not open source. They claim this is against the open, transparent nature of the crypto world.
*Secure Elements Chip to prevent access via physical attacks. The same chips are used in passports, SIM cards, and credit cards.
Were Trezor wallets ever hacked?
Three bigger, known attacks happened on Trezor devices. All involve a physical attack on the device, which means that to do so, somebody needs to get hold of your Trezor wallet, open it up and directly extract information from the chip, which is quite a process.
Until today, there are no known remote attacks on Trezor devices, and remote attacks are the most common; according to Trezor, 94 % of the attacks are happening remotely.
At the beginning of 2022, hardware hacker Joe Grand posted a YouTube video explaining how they hacked the Trezor Model One device containing about 2 million.
They moved the PIN and key to RAM during the firmware update and installed unauthorized code on the device.
After the video was released, Trezor confirmed that this exploit was fixed and could no longer happen on new devices.
The other two attacks on Trezor were the so-called Seed Extraction Attacks performed by the Donjon security team and the Read Protection Downgrade Attack performed by Kraken Security Labs.
For both attacks to happen, the attacker must possess a specialized hardware tool, strong technical knowledge, and physical access to bypass the protection.
Both attacks could happen only because the Passphrase feature was not enabled on the devices. A strong passphrase fully mitigates the possibility of a successful attack. So you should always have it activated.
In both cases, Trezor acknowledged the security attack and the importance of hacking by third parties to help improve the overall security of the crypto industry. In addition, they addressed the importance of protecting your private key, passphrase, and devices against intruders.
Since these incidents, Trezor wallets haven't been hacked. This is likely due to the many firmware updates the wallet has implemented.
There are also reported ongoing phishing attacks on Trezor users due to the compromised MailChimp services by an insider targeting crypto companies.
Verdict: Are Trezor wallets safe to store your Bitcoin?
It is essential that while Trezor faced physical vulnerability, its hardware wallet is still safe and excellently protected from remote internet-based attacks.
So as long as you take care and keep your wallet, the passphrases, and private keys in an offline and secure place, you don't need to worry that your funds would be compromised. They are only in danger when the bear market comes. :)
If you are looking for your next hardware wallet, you can check our comparison of the best crypto hardware wallets currently available.
FAQ
How did Kraken hack Trezor wallets?
For the Read Protection Downgrade Attack, they used specialized hardware to perform the voltage glitching of the STM32 microchip, which allowed them to bypass the protection. This way, they obtained the encrypted recovery seed from the device.
Can the Trezor vulnerability be fixed?
Trezor doesn't use a Secure Element; therefore, their devices are vulnerable to physical hacking attacks where the device is opened and tampered with.
Fixing this vulnerability would require a complete revamping of the hardware wallet. Trezor is aware of this weakness; however, they haven't made any changes.
For now, they firmly stand behind their statement that as long as you activate the BIP39 passphrase and keep your wallet and keys in a safe, offline place, your assets are highly protected from any remote attack.
How do I know if my new Trezor wallet has been tampered?
Protective seals protect a Trezor box. The case is sealed using ultrasound, so you would see immediately if someone had tampered with it.
All Trezor devices come without firmware software, so you must install it for your first use. If your wallet has installed firmware, then someone used the device before you. You should not use this device.
Also, never buy a second-hand hardware wallet.
What does a phishing attack look like?
Phishing works by sending messages that look like they are from a legitimate company or website. The message usually contains a link that takes you to some dubious website that looks like the real one. Usually, the email contains information you need to confirm your personal information, enter a password, seed phrase, PIN, or card number, download malicious software, etc.
The important thing is that you should never click the links like that or share personal information. No legit company will ask you for your personal information. If you are not sure, don't click in a panic, but research whether the email is legit or not.
