Trezor released official statement on SegWit2x

The developers of popular hardware wallet does not guarantee the successful coins splitting; continue reading to learn more
07 November 2017   1118

The team of the hardware wallet Trezor issued a statement in which it expressed its position regarding the expected in the middle of November SegWit2x hardfork and gave the necessary recommendations to users who are worried about the safety of their funds.

Despite the fact that Trezor does not go into details of which chain it will give preference in the case of the division of bitcoin, the statement says that after the split on block 494784 there will be two blockchains: Bitcoin (BTC) and SegWit2X (B2X).

The developers confirm that if, at this point, the user had bitcoins in Trezor's wallet, he will have the same number of BTC and B2X coins.

With TREZOR, you own your private keys (in the form of the seed), therefore you have control over all of your coins, including forked coins.
 

Trezor's statement

Further it is noted that the Trezor wallet will support both new and legacy addresses for BTC and B2X. However, since B2X developers do not plan to implement protection against replaying transactions, users need to take certain actions to safely use coins of both chains.

  • If user is only interested in BTC, and he does not need B2X, he does not need to do anything.
  • If user is only interested in B2X, and he do not need BTC, he do not need to do anything. 
  • However, if the user is interested in both coins, he will have to go through the manual process of dividing the coins, and because of the lack of protection against replaying the transactions, no guarantees of a successful completion of the process are provided by Trezor developers.

Additional details on how to conduct a manual division of coins, Trezor promises to publish soon.

For those who wonder why the situation is not the same as last year with Bitcoin Cash fork, the developers remind that there the protection against replay was realized, and therefore the whole process was much easier.

Regarding the device interface, B2X will be present as a separate wallet, but in order for coins to appear there, it will be necessary to separate. It is important to remember that B2X will use the same address format as bitcoin, but they will be generated via another derivation path (m / 44 '/ 157' /). Therefore, before making transactions, users will need to make sure that they send the correct coins to the correct chain.

Ledger to Report on Trezor Vulnerabilities

As reported, the security research by the Attack Lab found 5 serious vulnerabilities 
12 March 2019   1080

The leading manufacturer of cryptocurrency hardware wallets Ledger spoke about the vulnerabilities identified in the devices of his direct competitor Trezor. This is stated in a message distributed by the French company on Monday, March 11.

The Ledger study states that the vulnerabilities were discovered by employees of Attack Lab, a division of the company, which, to increase security, hacks both own wallets and competitors' devices. Representatives of Ledger claim that they have repeatedly contacted Trezor regarding the weak points in their Trezor One and Trezor T wallets, and after the disclosure period ended, they decided to make them public.

The first problem is related to authenticity of devices. As Ledger claims, the Trezor device can be simulated by hacking it with malware, and then resealing it in a box, forging a sticker designed to protect against unauthorized access. The latter, said the French company, is easy to remove. It is also claimed that this vulnerability can be eliminated only by reformatting the entire design of Trezor wallets, in particular, by replacing one of the main components with the Secure Secure chip.

Secondly, Ledger hackers were able to pick up a PIN on a Trezor wallet using an attack on a third-party channel. Later, Trezor solved this problem in its firmware update 1.8.0.

The third and fourth vulnerabilities, which Ledger also proposes to eliminate by replacing the main component with the Secure Element chip, are the possibility of stealing confidential data from the device. Ledger claims that an attacker with physical access to Trezor One and Trezor T can extract all data from flash memory and gain control over the assets stored on devices.

The last discovered weakness is also related to the Trezor security model: as stated by Ledger, the Trezor One cryptographic library does not contain adequate countermeasures against hardware attacks. It is alleged that a hacker with physical access to the device can extract the secret key through an attack on a third-party channel, although Trezor claimed that his wallets are resistant to such an attack.

It is noteworthy that in November 2018 Trezor representatives themselves warned that an unknown third party was distributing individual copies of their flagship device, Trezor One, urging users to buy wallets only through their official website.

However, in its report, Ledger claims that users cannot be sure, even if they buy equipment on the Trezor website. An attacker can buy multiple devices, hack them, and then send them back to the manufacturer for compensation. Ledger researchers conclude that if a compromised device is resold, user cryptocurrencies may be stolen.

There's no comment from Trezor team yet.