Todos os artigos
Past security issues
A collection of security issues found both internally and externally.
For a more in-depth look at each issue, learn more on our GitHub page: Past Security Issues
As a way to engage with security researchers and hackers, we offer a bug bounty program. Learn more at trezor.io/security.
Security Issues
| Vulnerability | Date Reported | Notes | Details |
|---|---|---|---|
| Missing confirmation screen in the ECDHSessionKey call | 2023-11-26 | Impact: Skipped confirm on TS3 Severity: Medium Fix: Firmware 2.6.4 for Trezor Safe 3 Reported By: Mathias Herberts | GitHub |
| XSS in Trezor Connect legacy versions | 2023-02-07 | Impact: Possible phishing attack Severity: Medium Scalability: Remote (Interaction) Reported By: Jun Kokatsu | GitHub |
| Insufficient field size check in Protobuf | 2021-07-12 | Impact: Theft of Funds Severity: Critical Scalability: Remote (Interaction) Fix: Firmware 1.10.3 Reported By: Stellar Development Foundation | GitHub |
| Read Protection Downgrade Attack | - | Impact: Seed Exposure Scalability: Local invasive Reported By: Kraken | GitHub |
| Monero unlock_time issue | 2020-02-01 | Impact: Destruction of Funds Severity: High Scalability: Remote (Interaction) Fix: Firmware 2.3.0 Reported By: Sebastian Kung | GitHub |
| Possible large transaction fee via two Segwit transactions | 2020-03-03 | Impact: Destruction of Funds Severity: High Scalability: Remote (Interaction) Fix: Firmware 1.9.1 for Model One and 2.3.1 for Model T Reported By: Saleem Rashid | GitHub |
| Malicious change in mixed transactions | 2020-03-07 | Impact: Theft of Funds Severity: Critical Scalability: Remote (Interaction) Fix: Firmware 2.3.0 Reported By: Saleem Rashid | GitHub |
| OP_RETURN treated as change output | 2020-03-02 | Impact: Theft of Funds Severity: Critical Scalability: Remote (Interaction) Fix: 1.9.0 + 2.3.0 Reported By: Saleem Rashid | GitHub |
| Malicious change in mixed transactions | 2019-10-01 | Impact: Theft of Funds Severity: Critical Scalability: Remote (Interaction) Fix: Firmware 2.1.8 Reported By: Marko Bencun | GitHub |
| Information leak via OLED display | 2019-04-08 | Impact: TBD Severity: TBD Scalability: Local (Non-invasive) Fix: Firmware 1.8.2 Reported By: Christian Reitter | GitHub |
| Secret information leak via USB Descriptors | 2019-01-02 | Impact: Seed Exposure Severity: High Scalability: Local (Non-invasive) Fix: Firmware 1.8.0 for Model One and 2.1.0 for Model T Reported By: Colin O'Flynn | GitHub |
| SRAM dump via glitching the firmware update | 2018-12-27 | Impact: Seed Exposure Severity: Moderate Scalability: Local (Destructive) Fix: Firmware 1.8.0 Reported By: wallet.fail | GitHub |
| Side-channel analysis (SCA) of PIN comparison | 2018-10-31 | Impact: Theft of Funds Severity: Moderate Scalability: Local (Destructive) Fix: Firmware 1.8.0 Reported By: Charles Guillemet | GitHub |
| Buffer overflow in bech32_decode/cash_decode | 2018-09-26 | Impact: Device freeze Severity: None Scalability: Remote (Interaction) Fix: Firmware 1.7.1 Reported By: Christian Reitter | GitHub |
| Buffer overflow in message processing | 2018-05-25 | Impact: Seed Exposure Severity: High Scalability: Local (Non-invasive) Fix: Firmware 1.6.2 Reported By: Christian Reitter | GitHub |
| STM32F205 write-protection issue | 2018-02-12 | Impact: - Severity: - Scalability: Supply Chain Fix: Firmware 1.6.1 Reported By: Saleem Rashid | GitHub |
| Secret leak via SRAM residue | 2017-08-01 | Impact: Seed Exposure Severity: Moderate Scalability: Local (Destructive) Fix: Firmware 1.5.2 Reported By: Sunny | GitHub |
| Possible key extraction with oscilloscope | 2015-03-26 | Impact: Key Exposure Severity: High Scalability: Local (Non-invasive) Fix: Firmware 1.3.3 Reported By: Jochen Hoenicke | GitHub |
| Malicious change in mixed transactions | 2015-02-23 | Impact: Theft of Funds Severity: Critical Scalability: Remote (Interaction) Fix: Firmware 1.3.1 Reported By: Nicolas Bacca | GitHub |
Este artigo foi útil?