Back to security portal

Missing confirmation in the ECDHSessionKey call

Reported on November 26, 2023

The Trezor Safe 3 returns the ECDHSessionKey without requiring appropriate user interaction, resulting in the omission of address confirmation screens in the user interaction workflow.

This concerns only the SSH functionality in Trezor and was fixed in 2.6.4.

Reported byMathias Herberts

Trezor Safe 3

Resolved vulnerabilities

Reported by community. Investigated. Resolved. Because your security is never optional.