Protect from getting a fake Trezor device

Hi there

How can I make sure that the Trezor device that is shipped to me is really an original untampered device and not a completely fake device or a original Trezor device with tampered firmware? If I have a Trezor device in my hand is there any way to check whether the device is really an original device produced by Trezor and has an untampered original firmware on it etc.? I know that I have to check whether the package that is shipped to me is not damaged and that the hologram is on it… but these things are very easy to fake without me being able to notice. So how can I check whether I have been shipped a clear original Trezor device befor starting investing?

Thanks

Repeatedly reset the device 20 times to see if 20 different wallets are generated.
Malicious firmware generates fixed seeds.

2 Likes

@Flix

  • All Trezor devices are distributed without a firmware software, so you need to install it for your first use. If there is a firmware installed already, then that means that someone used this device before you.

  • The bootloader verifies the firmware signature. The device only runs if the firmware is correctly signed by SatoshiLabs.

  • Because the recovery seed is generated during Trezor setup, there is no default seed, only the seed you will generate for yourself. If you encounter any Trezor device with preinstalled firmware that was purchased as new, please let us know

Thanx a lot! Very good advice!!!

Thx a lot for the explanation, forgi. “The bootloader verifies the firmware signature” sounds good. One thing: What if the device I have been sent to is a complete fake which has never been produced by Trezor in the first place and hence has no such bootloader verifying the firmware signature for obvious reasons (i.e. because thieves want to steal my coins). I know that this might sound a little bit too cautious but what is feeling strange to me is that blockchain technology is revolutionary because it first time in human history allows for completely trustless exchange of assets with anyone in the world who you don’t know but on the contrary I have to fully trust a wallet creator like Trezor…
So how can I trust that the physical device I get from Trezor is really from Trezor? Does each physical device have a unique serial number printed on the case so that I can write an email to Trezor company after having received the physical device and ask Trezor people to tell me this unique serial number via email so I can compare it to the serial on my physical device?

Already answered in previous post, if there is no bootloader it cannot verify the firmware that you have to install during the setup, so you would get a warning message.

Only way to steal your coins would be installing malicious FW, which you can spot right away because all Trezor devices come without any FW.

Also as said, you have to create your own seed.

https://wiki.trezor.io/Security:Software

the fakes would normally bear the “Made in China” barcode sticker on the package - thanks to strict importing regulations, while the original package doesn’t mention such information on the barcode sticker at all

we do not keep track of serial numbers, they are only for manufacturing puproses

How can I check whether firmware is installed on my Trezor Model T or not?

by plugging it in…if Suite propmts you to install FW then there is nothing installed, otherwise it will give you security warning.