Disturbing news @jooliver. It’s the first time I’ve heard of such a recent hack and I don’t know if it’s still a valid method or not, but as far as I can see this method requires that the hacker need physical access to the device. Typically someone who buy a device (new or used) and then sell it again as used after they’ve written their own code to the device. You should therefore never buy used hardware wallets like Trezor.
I think I’ll leave this to Developer @matejcik to answer further. I don’t know much about how Trezor works internally.
This is a year old news item, based on a security flaw in the Trezor One that was fixed in a firmware update five years ago.
Apart from requiring a Trezor One that has not been updated since early 2018, this hack requires taking the Trezor apart, soldering things to it, and generally having the skills of a pro hardware hacker.
It has absolutely nothing to do with the topic here, unfortunately.
I find it extraordinary that Trezor when contacted about my unauthorized transactions first advice was, ‘get whatever is left in the cold wallet out’. Too late advice however also interesting is that Trezor did not ask for the transaction data, not their problem obviously. The more I visit the community the more cases of unauthorized transactions shows up. I bought the cold wallet from the Trezor site, the seal was intact when I received it, my seed words were not compromised, no one else had access to my physical device. It was hacked plain and simple yet Trezor continues to sell their product unchallenged. I guess $21,000 Canadian is small potatoes to them.
Since each transaction must be signed by using private keys of the respective address and considering the fact that Trezor has never been hacked remotely and it’s designed not to reveal private keys (essential for creating a transaction) to anyone, not even to you even if it’s needed (this statement can be verified and audited by anyone since our device is fully open-sourced), there basically 2 scenarios of what can happen:
Either some 3rd person used your Trezor physically for confirming the transaction
Your private keys (represented by your recovery seed) were compromised and the attacker used them to sign the transaction. This is possible since you can recover your wallet including your private keys by performing a recovery with a compatible wallet.
I just logged in to the suite and realized that there has been 2 unauthorized transactions. Balance is now $0.
Bought device from Trezor’s site
Seal was intact.
Have not share my seed w anyone.
Trezor is store at home.
I need help!