How does this affect Trezor One?
The bech32_decode and the cash_decode issues only affect the firmware versions 1.6.2 and 1.6.3. Previous versions did not contain the problematic code or prevented the transfer of long address inputs to the device, which mitigates the issue. Both vulnerabilities can be used to trigger a remote shutdown of the Trezor One with the error message “Stack smashing” via browser-based or local attacks without additional user interaction.
How were the issues fixed?
Both bugs were fixed by preventing the out-of-bounds accesses in the code.
- 2018–09–26: The bech32_decode issue and resulting buffer overflow are discovered and documented in SatoshiLabs-internal tracker, initial fix is suggested.
- 2018–09–27: Crash is reproduced on Trezor One hardware.
- 2018–09–28: Internal proof of concept for remote attack scenario.
- 2018–10–04: First attempt to inform Pieter Wuille.
- 2018–10–06: Second attempt to inform Pieter Wuille.
- 2018–10–11: First round of disclosure to affected projects. Initial contact with Pieter Wuille.
- 2018–10–13: Additional project is informed.
- 2018–10–14: Pieter Wuille confirms the bug.
- 2018–10–16: Additional project is informed.
- 2018–10–17: Additional projects are informed.
- 2018–10–18: Additional projects are informed.
- 2018–10–23: Proposed public disclosure release date: 2018–10–30
- 2018–10–24: Ledger is informed. The cash_addr.c vulnerability is
disclosed by Ledger to SatoshiLabs.
- 2018–10–25: Disclosure of cash_addr.c vulnerability to other affected projects, firmware update 1.7.1 is prepared and signed.
- 2018–10–26: Additional project is informed.
- 2018–10–30: Coordinated public disclosure.
Frequently Asked Questions
Is my Trezor One safe?
The described vulnerabilities can only be used to shut down your device. In addition, there is no evidence that either of the vulnerabilities has been used in practice.
Is Trezor Model T affected?
The Trezor Model T is not affected by these vulnerabilities.
I am about to buy a new Trezor One. Will it be affected?
Trezor devices are shipped without firmware preloaded, therefore a new firmware will be installed upon the first use of the web wallet. However, our regular web wallet will suggest installing version 1.6.3 during the upcoming 4 weeks. During that period you’d need to obtain version 1.7.1 from our beta web wallet. After this period is over, the latest firmware will be offered from our regular web wallet too.
How to update the firmware?
At the time of writing, the new firmware 1.7.1 is optional and available from our beta web wallet. We encourage you to update, as this brings you the latest security fixes. For firmware 1.6.2 or 1.6.3, the update process is straightforward.
If you use older firmware (1.6.1 and older), you will first need to update to firmware 1.6.3. We have added a functionality to our beta web wallet which will update your Trezor in two steps, if required.
Please note that if your Trezor One device is currently running firmware version 1.6.1 (bootloader version 1.4.0), your device memory will be wiped after this update. Please make sure you have the correct recovery seed with you, as you will need to recover your Trezor device from seed backup.
You can test your recovery seed before you update device firmware.
Why beta wallet?
Firmware update 1.7.1 is available from the beta wallet because it also includes a functionality change which replaces the HID communication protocol with WebUSB. This allows us to bring our web wallet to a much bigger range of devices such as Android Phones and Chromebooks. Although this change has been tested internally for several months without any problems, we are rather cautious in deploying big changes like this. After several weeks, this update will appear on our regular web wallet.
Are other hardware wallets affected?
Yes. As described previously, we have disclosed the issues to several affected vendors, which includes two hardware wallet vendors, and cooperated with them to resolve the bugs.
All hardware wallets based on the Trezor One design or trezor-crypto library are most likely vulnerable.
Revisions to this document
- 2018–10–30 14:49 CET: Original release.
- 2018–10–30 16:03 CET: Rephrased “I am about to buy a new Trezor One. Will it be affected?” section to be more accurate.
- 2018–10–30 17:28 CET: Correct the details about “cash_decode” issue.