Trezor released new firmware for its hardware wallet to address a recently found security flaw. The new firmware for Trezor One (version 1.9.1) and Trezor Model T (version 2.3.1) is now available to install.
Fixing Vulnerability in Segwit Transactions
Saleem Rashid founded the new vulnerability in Trezor hardware walletsā firmware and reported it through a responsible disclosure program. The company updated firmware to address it and also because of some internal refactoring tasks.
Trezor always requires the previous transactions to check the UTXOās real balance. This function happens on non-Segwit transactions to make sure users donāt pay a high amount of transaction fee unknowingly. But after the introduction of Segwit, the principals changed a little:
āWith the introduction of Segwit, the Bitcoin developers tried to simplify this. When signing a Segwit transaction, a slightly different piece of data is being signed. This is defined in BIP-143, and one of the changes was that the amount of the UTXO is present in the signed data. This helps significantly; if the attacker lies about the UTXOās amount, the signature is simply not valid in the Bitcoin network,ā says Trezor.
Trezor explains the recent vulnerability in Segwir transactions of hardware wallets in a blog post. In summary, attackers could use vulnerability with malware to ask the victim to confirm another transaction next to their original transaction and pay more cryptocurrency. Trezor explained the fix for the vulnerability:
āThe fix is straightforward ā we need to deal with Segwit transactions in the very same manner as we do with non-Segwit transactions. That means we need to require and validate the previous transactionsā UTXO amounts. That is exactly what we are introducing in firmware versions 2.3.1 and 1.9.1.ā
Some third-party tools can not work with Trezor after the new update. They have to update their platforms to continue working with the hardware wallets. Web-based applications using Trezor Connect version 8 donāt experience any change and continue to work like before. The patch for Electrum will be provided soon as a pull request. It will be impossible to use Electrum with Trezor 1.9.1 and 2.3.1 until this patch is released.
