Trezor to Undergo Fishing Attack

Trezor wallet team asks users to be exteme caution
02 July 2018   544

According to the blog of developers of the hardware wllet Trezor, their service has recently undergone a phishing attack. The project team stated that it received many complaints about the incorrect Secure Sockets Layer (SSL) certificate.

The number of warnings about the incorrect certificate has increased due to the increasing number of phishing attacks on the site. The vectors of the attack are reportedly the so-called "poisoning of the DNS server" and "BGP-interception".

Poisoning a DNS server is an attack that uses some DNS vulnerabilities. It allows the attacker to redirect traffic from legitimate servers to fake ones. This exploit was used, for example, to attack the "Great Chinese Firewall" in 2010.

BGP interception (also known as "prefix intercept") is an attack that consumes IP address groups and is performed by corrupting the routing Internet tables that the BGP protocol operates on.

As a result of the attack, the fake Trezor wallet site showed a warning message asking the user to restore the seed-phrase (an access key consisting of 12-24 "simple and memorable" words). According to Trezor, this was already the "second alarm bell", because the warning message was written with errors.

The third red flag was the method of recovery (seed check) — the fake site forced users to enter both the order number as well as the seed word into the computer.
 

Trezor's Blog

Next, the team warned users about the security measures that must be taken to protect themselves from this attack. It stressed that users should never enter their seed-phrases into the computer - this should be done only in the Trezor device. In addition, according to Trezor, the user should make sure that there is a "Protected" in the address bar of his browser.

They also noted that the fake wallet had already been blocked by the hosting provider, but they asked users to remain vigilant and inform the Trezor team about suspicious sites.

Ledger to Report on Trezor Vulnerabilities

As reported, the security research by the Attack Lab found 5 serious vulnerabilities 
12 March 2019   188

The leading manufacturer of cryptocurrency hardware wallets Ledger spoke about the vulnerabilities identified in the devices of his direct competitor Trezor. This is stated in a message distributed by the French company on Monday, March 11.

The Ledger study states that the vulnerabilities were discovered by employees of Attack Lab, a division of the company, which, to increase security, hacks both own wallets and competitors' devices. Representatives of Ledger claim that they have repeatedly contacted Trezor regarding the weak points in their Trezor One and Trezor T wallets, and after the disclosure period ended, they decided to make them public.

The first problem is related to authenticity of devices. As Ledger claims, the Trezor device can be simulated by hacking it with malware, and then resealing it in a box, forging a sticker designed to protect against unauthorized access. The latter, said the French company, is easy to remove. It is also claimed that this vulnerability can be eliminated only by reformatting the entire design of Trezor wallets, in particular, by replacing one of the main components with the Secure Secure chip.

Secondly, Ledger hackers were able to pick up a PIN on a Trezor wallet using an attack on a third-party channel. Later, Trezor solved this problem in its firmware update 1.8.0.

The third and fourth vulnerabilities, which Ledger also proposes to eliminate by replacing the main component with the Secure Element chip, are the possibility of stealing confidential data from the device. Ledger claims that an attacker with physical access to Trezor One and Trezor T can extract all data from flash memory and gain control over the assets stored on devices.

The last discovered weakness is also related to the Trezor security model: as stated by Ledger, the Trezor One cryptographic library does not contain adequate countermeasures against hardware attacks. It is alleged that a hacker with physical access to the device can extract the secret key through an attack on a third-party channel, although Trezor claimed that his wallets are resistant to such an attack.

It is noteworthy that in November 2018 Trezor representatives themselves warned that an unknown third party was distributing individual copies of their flagship device, Trezor One, urging users to buy wallets only through their official website.

However, in its report, Ledger claims that users cannot be sure, even if they buy equipment on the Trezor website. An attacker can buy multiple devices, hack them, and then send them back to the manufacturer for compensation. Ledger researchers conclude that if a compromised device is resold, user cryptocurrencies may be stolen.

There's no comment from Trezor team yet.