If Trezor ever gets hacked and the hacker releases a "official" firmware update, can we all lose our funds?

I’m wondering if a hacker was able to release a firmware update which would be “official” and if we all updated/downloaded it. Would that be able to wipe all our funds?
Please explain in detail thank you.

I hope SO SO MUCH that you are in the wrong. Better not to panic beforehand.
Well, technically, I hope that firmware supply chain with signature and signing key wasn’t … won’t even dare to say. We don’t know the situation, maybe it’s just firmware mistake and it’s gonna be fixed. But if it’s one: it’s also a ring, that requires better review on how the releases are made.
As for SSL 128bit - from my point of view: it’s already not a good option considering existence of new technical ways of hacking. 128bit was strong in 2017.

The software used in Trezor devices has always been open-source to be fully auditable. Everybody can look at the code used in Trezor devices and verify its integrity, look for vulnerabilities, or come up with improvements and integrations.

We made Trezor fully transparent to eliminate the inherent need for trust and to share as much of our knowledge and ideas with the broader community. See SatoshiLabs Security Philosophy Manifesto if you wish to read more about our principles and motivations.

There are multiple layers of code ensuring the legitimacy and safety of operations executed by your device:

The boardloader is write protected embedded-immutable code of the device. Its function is to load and check the integrity and signatures of the bootloader. The primary purpose for write protecting the boardloader is to make it the immutable portion that can defend against code-based attacks (e.g., BadUSB), and bugs which could reprogram any/all of the embedded code. It assures that only embedded code with verified signatures runs on the device (and that the intended code is run, and not skipped). The boardloader cannot be updated, modified, or removed.

The bootloader is a simple program designed to install, update, and check the firmware loaded on the Trezor device. The bootloader checks the integrity and signatures of the firmware and runs it if everything is OK. This examination occurs every time you power the device. If the bootloader detects an unofficial firmware, it displays a noticeable warning on the device screen.

When updating the firmware, the bootloader erases the memory on the device and only restores it after it verifies the signatures on the firmware.


Okay so in simplicity, would it be possible to empty my wallet by running an unofficial firmware update?

No, because an unofficial Firmware would not run. Every time Trezor start up it checks the authenticity (checksum) of the Firmware and if it’s not correct then Trezor shows an error message and won’t run.

Edit: I should perhaps mention that if the checksum matches in an unofficial Firmware, it means it’s the same file as the official original. There’d be no point in making an unofficial firmware which is identical to the official one.


Not the solution jet, because many people are facing this issue, including me, but thank you for info, that calms a little. The solution is the moment when people will get the grasp of what happened and how to avoid such thing in the future.

You didn’t specify any “issue” so far.