Insufficient entropy on Trezor Model One with 12/18 words
Trezor Model One offers two types of wallet recovery procedures. For a 24-word seed, the seed is entered on a computer in a randomized order. This setup provides 79 bits of security.
While 79 bits can still be considered secure, we introduced Advanced Recovery back in 2016 to address this. In this case, the words are entered directly on Trezor, providing the original 128/192/256-bit security (for 12, 18, and 24 words, respectively).
Trezor Suite did not properly communicate the risks of Standard Recovery; this was reported to us by an anonymous reporter. While 79 bits of entropy can still be considered secure, the problem arises with 12- or 18-word seeds, where the entropy is lower.
For seed lengths of 12 or 18 words, the device generates random extra words and mixes them with the real backup words so that the total number of words entered by the user is always 24. These extra words are not part of the backup and are regenerated on every recovery attempt. The “Check wallet backup” feature in Trezor Suite settings, which allows the user to perform a simulated recovery, works the same way. If a user repeats this process more than once, an attacker can easily determine which words are fake. This collapses the security to 28 bits (for 12 words) and 52 bits (for 18 words), neither of which is considered secure.
Please note that Trezor Model One uses 24 words by default, and the Safe series offers a different backup (Multi-share Backup) that Model One cannot recover. This is therefore applicable only to those who would recover their wallet backups from Model T to Model One, or potentially from some software wallets, that provide a 12- or 18-word seed.
As a mitigation, we disabled Standard Recovery on Model One for 12- and 18-word recoveries unless the firmware safety checks are turned off. This means the user is forced to use Advanced Recovery for 12 or 18 words. For 24 words, both options are available.
We would like to thank the reporter for bringing this to our attention.
Vulnerabilidades solucionadas
- Biometric Verification bypassed in Trezor Suite with external monitor9 de marzo de 2026
- Inability to cancel certain flows on pre-production firmware31 de octubre de 2025
- Fix side-channel in BIP-39 mnemonic processing when unlocked24 de septiembre de 2025
- Donjon's Trezor Safe 3 evaluation12 de noviembre de 2024
- Missing confirmation in the ECDHSessionKey call26 de noviembre de 2023
- XSS in Trezor Connect legacy versions7 de febrero de 2023