in

How do you know that hardware wallets do not have hacked hardware?

I found this Trezor hardware description:

[https://github.com/trezor/trezor-core/blob/master/docs/hardware.md](https://github.com/trezor/trezor-core/blob/master/docs/hardware.md)

What I’m not getting is how you know that this is exactly the device they send you. You still have to trust them (and everyone who handled the package along the way), or am I missing something?

EDIT: Telling me that the *software* is open source doesn’t address the question of whether there’s additional *hardware* on your device running additional software or firmware that’s up to something else. So most of the responses so far miss the mark.



View Reddit by seattle_refugeView Source

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

8 Comments

  1. You have to trust them, and best buy from them directly.

    They do have some packaging and software checks against tampering:

    >Apart from the physical tamper-evident hologram, our devices also use software safeguards against tampering. The device firmware and bootloader are signed by SatoshiLabs, and these signatures are checked whenever you start the device. The TREZOR will warn you if the signatures are invalid. Apart from that, we dispatch all of our devices without preinstalled firmware. Therefore your can conveniently check that there isn’t a preinstalled malicious firmware.

    [https://blog.trezor.io/trezor-one-tamper-evident-packaging-f98d3f63569d](https://blog.trezor.io/trezor-one-tamper-evident-packaging-f98d3f63569d)

    I’ve not heard of any hardware mods that would break the security, other than the successful example of Kraken:

    [https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/](https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/)But never heard that this got applied in some real hack as it requires physical access to the wallet. Doesn’t mean it isn’t possible of course…

  2. My hardware wallet did not come with any firmware.

    When I used it the first time, I had to follow the steps to make sure it was not tampered with.

    The device then confirmed that it had not been used before, and it did not have any firmware installed on it previously.

  3. You can work around the hardware to some extent if you’re concerned.

    Generate a wallet with physical dice, verify the dice rolls on a separate air gapped computer (https://coldcardwallet.com/docs/verifying-dice-roll-math), add a complex custom passphrase on top, verify addresses with Ian Coleman’s BIP39 tools offline (https://iancoleman.io/bip39/), only use the wallet air gapped. Verify your signed partial transactions before broadcasting.

  4. The thing with Trezor I believe is that they do give you the plans to build it yourself if you really don’t trust their construction is free from tampering that allows someone to steal your funds. It comes down to whether you want to take the time to learn the skills to source and order all the parts, print a pcb, do all the work yourself, do an initial firmware load, or just trust Trezor and buy it through them. Some people, rolling their own is a viable option.

  5. Everything is open source you can have an expert analyze the code and verify everything is legit.

    If you do decide to get one, you should get like three or four of them. You can clone them with the same recovery words and store them in different locations.

    They factory reset if someone guesses the PIN number wrong three times.

  6. how do you know software wallets aren’t hacked? same thing. simple hardware like this is even easier to verify than software imo.

    you are ultimately responsible for your security. and you are responsible for your skills and knowledge. every time you trust someone else, you put yourself at risk. so you choose how to resolve this concern.

What do you think?

After Targeting BlockFi, State Regulators Now Set Their Eyes On Celsius

After Targeting BlockFi, State Regulators Now Set Their Eyes On Celsius

IRS Moving the Goal Posts