Trezor to Undergo Fishing Attack

Trezor wallet team asks users to be exteme caution
02 July 2018   182

According to the blog of developers of the hardware wllet Trezor, their service has recently undergone a phishing attack. The project team stated that it received many complaints about the incorrect Secure Sockets Layer (SSL) certificate.

The number of warnings about the incorrect certificate has increased due to the increasing number of phishing attacks on the site. The vectors of the attack are reportedly the so-called "poisoning of the DNS server" and "BGP-interception".

Poisoning a DNS server is an attack that uses some DNS vulnerabilities. It allows the attacker to redirect traffic from legitimate servers to fake ones. This exploit was used, for example, to attack the "Great Chinese Firewall" in 2010.

BGP interception (also known as "prefix intercept") is an attack that consumes IP address groups and is performed by corrupting the routing Internet tables that the BGP protocol operates on.

As a result of the attack, the fake Trezor wallet site showed a warning message asking the user to restore the seed-phrase (an access key consisting of 12-24 "simple and memorable" words). According to Trezor, this was already the "second alarm bell", because the warning message was written with errors.

The third red flag was the method of recovery (seed check) — the fake site forced users to enter both the order number as well as the seed word into the computer.
 

Trezor's Blog

Next, the team warned users about the security measures that must be taken to protect themselves from this attack. It stressed that users should never enter their seed-phrases into the computer - this should be done only in the Trezor device. In addition, according to Trezor, the user should make sure that there is a "Protected" in the address bar of his browser.

They also noted that the fake wallet had already been blocked by the hosting provider, but they asked users to remain vigilant and inform the Trezor team about suspicious sites.

Bitcoin Cash Addresses to be accepted on Trezor

Well-known hardware cold storage wallet company Trezor confirmed the integration of Cashaddr for Bitcoin Cash
02 April 2018   868

Jason Elliott, Twitter BSH advocate, started tweeting to hardware, cold storage wallet markets as to when their users could suppose Cashaddr implementation,  a bitcoin cash (BCH) ecosystem accepted standard for addresses to help limit disorder. Bach N. of Trezor replied, affirming Cashaddr to be in drafting for Trezor. He also completed his answer with a a Github link, which appeared to prove the tweet.

The Github refers a Trezor MCU started the beginning of this year. The creator of Cashaddr #285 is Jochen Hoenicke. There are also 3 commits, including Satoshi Labs’ repository participant Pavol Rusnak.

This needs to be done outside the firmware for cashaddr support. Webwallet: compute cashaddr addresses from xpub. Note that only the last step from hashed public key to address needs to be changed. The webwallet checks that the address the Trezor returns is as expected. This check should also allow 1.. addresses so that it works with older firmware (so we don’t have to deploy both at the same time); allow cashaddr as send to address. The firmware supports both and both use SPENDADDRESS. The only difference is the confirmation message given to the user; the transaction format did not change at all.

 

Jochen Hoenicke 

Developer, Github

 

Amaury Séchet, the lead developer of bitcoin cash, considers though such changes may be expensive, it is necessary to study different other options then changing only the prefix before settling on something.

Two weeks ago Trezor answered to long time Reddit user about how the company was just outright refusing to add the address change. They explained that the mess had been caused by inconvenient architectural decision of [BCH] team. Despite the team had been  alerted by Trezor about the problem, the programmers decided to ignore the warning.Cashaddr support is in common development process and it’ll be ready when done.

Supplemented with the even more recent confirmation and Github activity, Bitcoin Cash users can stay hopeful about the coin`s future development prospects.