Trezor released Firmware 1.6.1 and a Bootloader update on March 21, 2018 for the Trezor One. The Firmware and Bootloader update closes an exploit that could be used to modify the instructions on a Trezor One before setup.
When you update to the latest Firmware it will also update and secure the bootloader. This exploit is related to a flaw in a chip and how it sets write protection.
Full details: https://blog.trezor.io/trezor-one-firmware-update-1-6-1-eecd0534ab95
Frequently Asked Questions (direct from Trezor)
Is my TREZOR One safe?
There is no evidence that this vulnerability has been used in practice. Nonetheless, we have decided to release this update for preventive reasons, according to our security philosophyand responsible disclosure program.
If your TREZOR One arrived with its packaging intact, then your TREZOR is safe to use. The firmware update will check your bootloader version, its authenticity and update it.
If your TREZOR One arrived with its packaging opened, then your TREZOR might still be safe to use, under certain circumstances. The firmware update will check your bootloader version, its authenticity and update it. If the bootloader passes the authenticity check, your device will run without errors and thus it is safe to use.
If the bootloader does not pass the authenticity check, the firmware will warn you. In this case, please contact our Support Team.
Is TREZOR Model T affected?
The TREZOR Model T is not affected by this vulnerability, because it uses a chip with a different flash controller — STM32F427.
I am about to buy a new TREZOR One. Will it be affected?
If you are buying a TREZOR One directly from TREZOR Shop, we are already shipping out devices with the latest bootloader. These devices are not affected by the issue disclosed in this article.
I bought a TREZOR One yesterday, is it affected?
If your TREZOR One arrived with its packaging intact, then your TREZOR is safe to use. The firmware update will check your bootloader version, its authenticity and update it.
If your TREZOR One arrived with its packaging opened, then your TREZOR might still be safe to use, under certain circumstances. The firmware update will check your bootloader version, its authenticity and update it. If the bootloader passes the authenticity check, your device will run without errors and thus it is safe to use.
If the bootloader does not pass the authenticity check, the firmware will warn you. In this case, please contact our Support Team.
I bought a TREZOR One from an official reseller yesterday, is it affected?
The answer above applies to his case as well. If you need to contact our Support Team, please attach the name of the reseller.
I bought a TREZOR One from an official reseller and initialized it already. Am I at risk?
Please update the device firmware. If the update does not warn you during the bootloader update (second part of the update process), then your device is safe to use.
I have an uninitialized TREZOR One. What next?
If your device is not yet initialized, then please update the firmware first. The firmware update will also update the bootloader, making sure you are starting off with a secure device.
Do I really need to update?
Even though the vulnerability disclosed in this article cannot be exploited to extract private keys from the device, we still recommend keeping your devices up-to-date at all times. Regular firmware updates are the key to a secure product.
Please, go to TREZOR Wallet. If the Wallet tells you your firmware is outdated, please run the update process. The firmware update will update the bootloader as well.
What is the newest firmware and bootloader version of TREZOR One?
Firmware: 1.6.1
Bootloader: 1.4.0
Are other hardware wallets affected?
All hardware wallets using STM32F205/F405 are potentially vulnerable to this attack vector. We have already reached out to other producers of hardware wallets and informed them about the issue.
Why is the issue disclosed in detail on the same day as the update release?
There are multiple reasons why we decided to release a full disclosure today, the most important are:
- The vulnerability cannot be exploited to extract private keys out of already-initialized devices, meaning TREZOR One users are not at risk.
- The production code of TREZOR One firmware is published publicly as it is open source, so even without technical details, a potential attacker can understand the nature of the vulnerability from the source code.
- Our philosophy is rooted in absolute transparency, and therefore we prefer to keep our users informed as soon as possible