TREZOR One: Firmware Update 1.6.1

Security update released for TREZOR One devices • The update process verifies the integrity of your device • Details in the article

Published in

Trezor Blog

10 min readMar 21, 2018

Today, on March 21st, we have released a new security update for TREZOR One devices. This update patches a physical security issue discovered in mid-February through our responsible disclosure program. There is no evidence that this vulnerability has been used in practice. Nonetheless, the new system will also verify the integrity of your TREZOR device, making sure it is safe to use.

The TREZOR Wallet interface will offer the firmware update for your TREZOR One. Please make sure you have your recovery seed nearby before starting the update process.

The TREZOR Model T is not affected by this vulnerability. All TREZOR One devices are affected and should be updated to the newest firmware version. The firmware update will also update the bootloader of your TREZOR One device.

Too long, did not read

The vulnerability described below affects the supply chain of TREZOR One devices primarily. If your TREZOR One is already initialized and set up, then you are likely not affected. If you just purchased your TREZOR One device, make sure that you install/update the latest firmware version before using it.

TREZOR comes with tamper-evident seals, ensuring that you are the first person to open the package. When purchasing from TREZOR Shop or any of our resellers, if your package arrived unscathed, your TREZOR One is safe.

The newest firmware verifies the authenticity of the bootloader in the device. The bootloader checks the signature of the firmware. If both are genuine, your device will not display a warning, and therefore your TREZOR is safe to use.

Details about the security update

In February 2018, Saleem Rashid, an independent security researcher and TREZOR contributor discovered a security vulnerability in the memory write-protection operations of the STM32F205 processor, which the TREZOR One uses, and disclosed the issue through our Responsible Disclosure program. Saleem communicated with us professionally, as usual, and assisted where possible. We worked together with him and STMicroelectronics to develop a fix that closes this vulnerability. The update released today contains this fix.

“I am thankful to Saleem for his contributions to Trezor project. His out-of-the-box thinking and creative approach help us to make an even more secure product. This experience only proves that community-oriented and open-source development is the correct path to take.”
— Marek Palatinus, CEO SatoshiLabs

What was the issue?

This vulnerability does not enable private key extraction.

The STMicroelectronics chip STM32F205 used in the TREZOR One device contains a flaw, which effectively disables the write-protection employed to protect the bootloader of the device. This is an unexpected and undocumented behavior of the chip. Once the issue was disclosed and replicated, we immediately reached out to the chip manufacturer, STMicroelectronics. After several meetings, the manufacturer confirmed the observed behavior and added that not only the whole F2 family is affected, but also the earlier models of the F4 family, such as STM32F405, are susceptible. (The newer F4 family models, such as STM32F427, are not affected.)

Detailed explanation: Settings for write-protection are stored in the so-called OPTION BYTES. These settings are persistent across reboots and are set via register called FLASH_OPTCR (option byte config register). When you want to change the OPTION BYTES, then you need to set a new configuration into the FLASH_OPTCR register and then call a commit. If the OPTION BYTES are unlocked (rewritable), these new settings are then copied from FLASH_OPTCR to OPTION BYTES, where they survive a restart. Once we in TREZOR do not want to allow any change to the OPTION BYTES, we can lock them forever using the read-protection, which is configured in the same setting area. However, these chips, more specifically the flash memory controller, do not look for write-protection configuration in the OPTION BYTES, where they should, but they look into the FLASH_OPTCR register instead. There, the value can be changed, of course, even when the OPTION BYTES are adequately locked, effectively rendering the write-protection useless on these chips.

Since the issue is not planned to be fixed in hardware by the manufacturer, we have opted to engineer a software solution closing this vulnerability in its entirety. We are open-sourcing this method as a part of the TREZOR One project. The code is available on GitHub. Details are available further below in this article.

“I am very impressed by the incredibly rapid response from TREZOR. While it’s unfortunate the chip had this issue, SatoshiLabs has implemented an excellent fix that not only fixes the issue but also helps prevent other potential attacks.”
— Saleem Rashid, independent security researcher

How does this affect TREZOR One?

This flaw in the chip allows an attacker to modify and replace the bootloader via a malicious firmware update. It is important to note that this vulnerability cannot be exploited remotely. As this security issue requires the attacker to install custom firmware on the device, it does not affect already initialized devices; the device memory would be erased during this process. Therefore, this issue only affects devices before the delivery to a customer.

The chance that your device has been modified during transport is, however, very meager. First of all, the device packaging features tamper-evident seals. The packaging of TREZOR One is also glued together with an industrial-grade solution. When purchasing from TREZOR Shop or any of our resellers, if your package arrived unscathed, your TREZOR One is safe.

If you do suspect your device was tampered with during the transport, please contact our Support Team.

How was the issue fixed?

TREZOR already comes with several physical and software precautions in mind:

The device comes with tamper-evident seals on the packaging. The packaging itself is glued together with an industrial-grade solution.
We always recommend purchasing the device via a trusted channel: TREZOR Shop or authorized resellers.

Today’s security update brings about additional enhancements to the software solution for the TREZOR One device, which is applied on two levels:

Firstly, the firmware update released today contains new code, which checks the authenticity of the bootloader of your device. The firmware will update your device’s bootloader to the latest version.
Secondly, as the bootloader write-protection by STMicroelectronics is flawed, we supplemented it with write-protection enforced by the MPU (Memory Protection Unit): Only a firmware signed by SatoshiLabs is allowed to modify sensitive parts of the memory. As the bootloader already checks the firmware signature, this was relatively easy to implement.

Detailed explanation: The solution is to supplement the flawed OPTION BYTES write-protection, using another available protection system, called MPU — the Memory Protection Unit (different part of the chip). Using this unit in the bootloader, we can specify which areas of memory can be accessed or not, effectively reaching the intended level of protection (the MPU restricts access to sensitive parts of the memory including the bootloader area and the FLASH_OPTCR register). STMicroelectronics confirmed that by using the MPU, the issue is resolved.

The activated MPU also prevents code execution from memory.

How to update firmware?

First of all, please make sure you have your recovery seed with you when you perform the update. (Link to manual)

Go to TREZOR Wallet and follow the update instructions shown on the screen. When prompted, replug your TREZOR One device with both buttons plugged to start it in bootloader mode. Confirm the update procedure, and you will have a new firmware on your device.

On boot of the new firmware 1.6.1, the system will check the hash of the bootloader, to verify its integrity. During the first boot of the firmware 1.6.1, the firmware will also update the bootloader to the latest version. At the end of this process, the device will ask you to reconnect. Therefore, you will reconnect twice during this update: once after firmware update and once after the bootloader update by firmware. Please follow the instructions on the device screen.

Update prompt. | Firmware update successful. | Bootloader update successful.

The firmware now checks the authenticity of the bootloader. If the bootloader was issued by us, then the device will run without any warning. The bootloader, in turn, checks the firmware signature, making sure that both software parts are running genuine code.

Timeline

Frequently Asked Questions

Is my TREZOR One safe?

There is no evidence that this vulnerability has been used in practice. Nonetheless, we have decided to release this update for preventive reasons, according to our security philosophy and responsible disclosure program.

If your TREZOR One arrived with its packaging intact, then your TREZOR is safe to use. The firmware update will check your bootloader version, its authenticity and update it.

If your TREZOR One arrived with its packaging opened, then your TREZOR might still be safe to use, under certain circumstances. The firmware update will check your bootloader version, its authenticity and update it. If the bootloader passes the authenticity check, your device will run without errors and thus it is safe to use.

If the bootloader does not pass the authenticity check, the firmware will warn you. In this case, please contact our Support Team.

Is TREZOR Model T affected?

The TREZOR Model T is not affected by this vulnerability, because it uses a chip with a different flash controller — STM32F427.

I am about to buy a new TREZOR One. Will it be affected?

If you are buying a TREZOR One directly from TREZOR Shop, we are already shipping out devices with the latest bootloader. These devices are not affected by the issue disclosed in this article.

I bought a TREZOR One yesterday, is it affected?

If your TREZOR One arrived with its packaging intact, then your TREZOR is safe to use. The firmware update will check your bootloader version, its authenticity and update it.

If the bootloader does not pass the authenticity check, the firmware will warn you. In this case, please contact our Support Team.

I bought a TREZOR One from an official reseller yesterday, is it affected?

The answer above applies to his case as well. If you need to contact our Support Team, please attach the name of the reseller.

I bought a TREZOR One from an official reseller and initialized it already. Am I at risk?

Please update the device firmware. If the update does not warn you during the bootloader update (second part of the update process), then your device is safe to use.

I have an uninitialized TREZOR One. What next?

If your device is not yet initialized, then please update the firmware first. The firmware update will also update the bootloader, making sure you are starting off with a secure device.

Do I really need to update?

Even though the vulnerability disclosed in this article cannot be exploited to extract private keys from the device, we still recommend keeping your devices up-to-date at all times. Regular firmware updates are the key to a secure product.

Please, go to TREZOR Wallet. If the Wallet tells you your firmware is outdated, please run the update process. The firmware update will update the bootloader as well.

What is the newest firmware and bootloader version of TREZOR One?

Firmware: 1.6.1

Bootloader: 1.4.0

Are other hardware wallets affected?

All hardware wallets using STM32F205/F405 are potentially vulnerable to this attack vector. We have already reached out to other producers of hardware wallets and informed them about the issue.

Why is the issue disclosed in detail on the same day as the update release?

There are multiple reasons why we decided to release a full disclosure today, the most important are:

The vulnerability cannot be exploited to extract private keys out of already-initialized devices, meaning TREZOR One users are not at risk.
The production code of TREZOR One firmware is published publicly as it is open source, so even without technical details, a potential attacker can understand the nature of the vulnerability from the source code.
Our philosophy is rooted in absolute transparency, and therefore we prefer to keep our users informed as soon as possible.

SatoshiLabs Security Manifesto

Transparent and swift reaction: The philosophy of SatoshiLabs.

blog.trezor.io

Timeline

2018–02–12: Issue reported by Saleem Rashid and reproduced.

2018–02–13: Reached out to STMicroelectronics.

2018–02–14: Contact with the Czech branch of STMicroelectronics established.

2018–02–19: First phone call meeting with STMicroelectronics.

2018–03–08: Meeting with STMicroelectronics in the Czech headquarters.

2018–03–09: Production halted.

2018–03–14: Production resumed with a fix in the new bootloader.

2018–03–16: Informed other TREZOR-based hardware wallets using the affected STM32F205 chip.

2018–03–21: Informed customers and resellers; new firmware fixing the vulnerability released.

About Us

TREZOR Model T is the next-generation hardware wallet, designed with experiences of the original TREZOR in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the TREZOR One.

TREZOR One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.

SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly TREZOR, the world’s first cryptocurrency hardware wallet, or CoinMap.org, the primary resource for bitcoin-accepting venues.