Trezor released new firmware for its hardware wallet to address a recently found security flaw. The new firmware for Trezor One (version 1.9.1) and Trezor Model T (version 2.3.1) is now available to install.
Fixing Vulnerability in Segwit Transactions
Saleem Rashid founded the new vulnerability in Trezor hardware wallets’ firmware and reported it through a responsible disclosure program. The company updated firmware to address it and also because of some internal refactoring tasks.
Trezor always requires the previous transactions to check the UTXO’s real balance. This function happens on non-Segwit transactions to make sure users don’t pay a high amount of transaction fee unknowingly. But after the introduction of Segwit, the principals changed a little:
“With the introduction of Segwit, the Bitcoin developers tried to simplify this. When signing a Segwit transaction, a slightly different piece of data is being signed. This is defined in BIP-143, and one of the changes was that the amount of the UTXO is present in the signed data. This helps significantly; if the attacker lies about the UTXO’s amount, the signature is simply not valid in the Bitcoin network,” says Trezor.
Trezor explains the recent vulnerability in Segwir transactions of hardware wallets in a blog post. In summary, attackers could use vulnerability with malware to ask the victim to confirm another transaction next to their original transaction and pay more cryptocurrency. Trezor explained the fix for the vulnerability:
“The fix is straightforward — we need to deal with Segwit transactions in the very same manner as we do with non-Segwit transactions. That means we need to require and validate the previous transactions’ UTXO amounts. That is exactly what we are introducing in firmware versions 2.3.1 and 1.9.1.”
Some third-party tools can not work with Trezor after the new update. They have to update their platforms to continue working with the hardware wallets. Web-based applications using Trezor Connect version 8 don’t experience any change and continue to work like before. The patch for Electrum will be provided soon as a pull request. It will be impossible to use Electrum with Trezor 1.9.1 and 2.3.1 until this patch is released.