All articles

Security & Safety in Trezor

The purpose of this article is to give a detailed account of the software specifications and security features used by the Trezor Safe 5, Trezor Safe 3, Trezor Model T, and Trezor Model One.

Table of Contents

The software used in Trezor devices has always been open-source to be fully auditable. Everyone can look at the code used in Trezor devices and verify its integrity, look for vulnerabilities, or suggest improvements and integrations.

We made Trezor fully transparent to eliminate the inherent need for trust and to share as much of our knowledge and ideas with the broader community.

See the SatoshiLabs Security Philosophy Manifesto for more details on our principles and motivations.

You can verify and build the software used in Trezor devices. See the source code at Trezor GitHub:

You can also refer to our Developer's Guide.

Trezor Safe 5

There are multiple layers of code ensuring the legitimacy and safety of operations executed by your device.

The boardloader is the write-protected, embedded-immutable code of the device. It loads and checks the integrity of the bootloader. It prevents code-based attacks (e.g., BadUSB) and ensures only verified embedded code runs on the device.

The boardloader cannot be updated, modified, or removed.

Boardloader key points:

  • Embedded and unmodifiable
  • Loads the bootloader and checks its integrity

The bootloader installs, updates, and checks the firmware. If unofficial firmware is detected, the device displays a warning.

If both buttons are pressed or no firmware is present, the device starts in firmware update mode.

Bootloader key points:

  • Uploads, updates, and checks firmware integrity
  • Is updatable
  • Signatures checked by the bootloader

Firmware operates the device, executes functions, and maintains security. Updates require physical confirmation on the device.

Firmware key points:

  • Operates the device
  • Checked by the bootloader
  • Regularly updated

Keep your device updated with the latest firmware to counter security threats.

Physical Access

Trezor devices implement several safety measures to prevent unauthorized access. Notably, Trezor Safe 5 has a dedicated OPTIGA™ Trust M Secure Element, which protects highly sensitive information from hardware and software attacks.

Learn more about Secure Elements in Trezor Safe Devices: Secure Element in Trezor Safe Devices

Trezor Safe 3

There are multiple layers of code ensuring the legitimacy and safety of operations executed by your device.

The boardloader is the write-protected, embedded-immutable code of the device. It loads and checks the integrity of the bootloader.

Boardloader key points:

  • Embedded and unmodifiable
  • Loads the bootloader and checks its integrity

The bootloader installs, updates, and checks the firmware. If unofficial firmware is detected, the device displays a warning.

Bootloader key points:

  • Uploads, updates, and checks firmware integrity
  • Is updatable
  • Signatures checked by the bootloader

Firmware operates the device, executes functions, and maintains security.

Firmware key points:

  • Operates the device
  • Checked by the bootloader
  • Regularly updated

Keep your device updated with the latest firmware to counter security threats.

Trezor Model T

There are multiple layers of code ensuring the legitimacy and safety of operations executed by your device.

The boardloader is a write-protected, embedded-immutable code that loads and checks the integrity of the bootloader.

Boardloader key points:

  • Embedded and unmodifiable
  • Loads the bootloader and checks its integrity

The bootloader installs, updates, and checks the firmware. If an unofficial firmware is detected, a warning is displayed.

Bootloader key points:

  • Uploads, updates, and checks firmware integrity
  • Is updatable
  • Signatures checked by the bootloader

Firmware operates the device, executes functions, and maintains security.

Firmware key points:

  • Operates the device
  • Checked by the bootloader
  • Regularly updated

Keep your device updated with the latest firmware to counter security threats.

Trezor Model One

There are multiple layers of code ensuring the legitimacy and safety of operations executed by your device.

The bootloader installs, updates, and checks the firmware loaded on the device. It verifies the integrity of the firmware and displays a warning if unofficial firmware is detected.

Bootloader key points:

  • Uploads, updates, and checks the integrity of the firmware
  • Is updatable
  • Signatures checked by the bootloader

Firmware operates the device, executes functions, and maintains security.

Firmware key points:

  • Operates the device
  • Checked by the bootloader
  • Regularly updated

Keep your device updated with the latest firmware to counter security threats.

;