Trezor is a leader in the hardware wallet market. The company recently issued a warning on the presence of fake products imitating their hardware wallets. In the release, the company said,
“[PSA] In recent weeks we have discovered a non-genuine Trezor One devices which try to imitate the original to the bone.
For more information on how to spot a fake Trezor One device, please read our latest blog post here: https://t.co/tpe21iTVXm
— Trezor (@Trezor) November 19, 2018″
This development is not surprising. It is common knowledge that fraudsters will make attempt at faking anything if there is the possibility of making money off it. In a release, the company said that this is not the first time fraudsters have attempted cloning the Trezor device.
However it seems that this is the first time an unidentified fraudster is working at fooling users of the device. The release assured users that there are marked differences between the Trezor wallet and the fake one in terms of appearance and functionality.
Quite Different From The Original
It went on to describe the many differences that Trezor users should watch out for. The release said that some of the differnces to look out for is in the packaging of the fake hardware wallet which is not as aesthetic as the original.
According to SatoshiLabs, the similarities may just end with physical features. They stated that the fake device may not have the functionalities of the real Trezor and may be full of malware. Although this is not the first time Trezor has been copied, the company said that it may be complimentary that others are copying their device.
The fake product which has “Made in China” written on it is just the latest in attempts to clone Trezor which claims that their products cannot be affected by hacks. This has been proven false when some hackers broke into a Trezor wallet in August 2017 causing identification of private keys and theft of digital currencies.
Investigations by Trezor revealed that the seed for the hacked wallet was stored at a location acessible to the hackers. After upgrades, the company has continued assuring users that the device is safe.
SeptreAttack a cyber security and audit company has announced that there are vulnerabilities affecting not just Trezor but all devices using Intel, AMD and ARM processors of any device they are installed in. The list of devices included PCs, laptops, tablets and smartphones.
A CT report said,
“The Meltdown bug afflicted Intel chips that were estimated to be installed in about 90 percent of all computers worldwide. The Spectre bug affected Intel, ARM and AMD chips on any device and both types of malware were reported to be capable of operating in cloud storage environments.”
Hardware fraud is not uncommon in the cryptoverse. In January 2017, some attendees of Bitcoin Conferences were gifted fake hardware wallets meant to steal funds that would be placed on the devices.
There has been another instance in which a hacker was able to reset a user’s password after he faked the user ID with T-Mobile, the telecom carrier the user was registered with. It was not revealed how much bitcoins that was stolen by the hacker.
Vulnerabilities do exist in hardware wallets despite the reassurances given by manufacturers. Hackers are also working hard at using phishing techniques to steal passwords and private keys.
Karl Kreder Ph.D wrote in a blog post that there are a number of vulnerabilities that can affect hardware wallets:
Man in the Middle Attack
This is an attack which according to Kreder is possible with cold storage devices that display 8 digits of the wallet address whenever the user sends funds. According to him, there are services such as vante.com which could hack the devices at the cost of $800.
User Device Firmware Upgrade
This is a vulnerability that occurs when the wallet is updated by the prompting of the manufacturer.
According to CT,
“Wallets like Ledger and Trezor can be vulnerable when being upgraded via a USB port. This option is often allowed by a manufacturer with the help of so-called USB Device Firmware Upgrade (DFU). As reported, the market has already seen successful attempts to use DFU to remotely dump the memory of the STM32F family of microcontrollers.”
Some of the hazard the hardware owner faces at this time is the possibility of theft of private keys and having malicious actors flash the device through the introduction of malware.
Ordinarily when a hardware wallet falls into wrong hands, manufacturers reset the device after three unsuccessful attempts at logging in.
“It has been shown by Cryptotronix developers that Trezor STM32F205 could be glitched by using both Vcc and clock glitching attacks. As a result, the device becomes vulnerable and private keys can be obtained by a third party without needing to know the pin”
the CT report said.
Vulnerabilities Arising from Supply Chain
Supply Chain Vulnerability occurs when the device is tampered with after it has been sent to the buyer by the manufacturer. The device is protected by a holographic seal which may be removed and flashed with a malicious version of the software.
When the holographic seal is reapplied, the buyer may not know that the new software in the hardware wallet is meant to steal their cryptocurrency.
It is possible to spy at a device using phone camera of the owner. This is why storage of recovery phrases and password can be the weak link in securing cryptocurrencies.
As expected, the community reaction was mixed as there are people that harangued Trezor for relying on holographic seal for security while there are others that feel that the company has not done enough to secure their devices.
Some commentators gave suggestions to the manufacturer on how to improve the security of the device. Some who have bought the fake version also narrated their experiences.
“I can confirm. I bought 2 on Amazon several months ago, and they have the wrong holographic seal. Never opened them.”
— Brooke (@bitcoinmom) November 19, 2018.
Not Surprising That Fraudsters Are Interested in $100 Million Market
It really is not surprising that people are willing to fake products in a market worth nearly $100 million. That the fake product is substantially cheaper than the original will be enough incentive to attract buyers.
Unfortunately, it will also be an easy path to losing their cryptocurrencies to fradsters.Experts are recommending vigilance while purchasing hardware wallets.
“Hello Rahul, the main differences are the hologram and barcode on the back of the box. The fake Trezor could be using our firmware, so it is best not to use it. The safest is to buy Trezor from our official shop or resellers.”
— Trezor (@Trezor) November 20, 2018.
They also advise owning more than one hardware wallet to diversify risks. The manufacturers have been advised to use legal means to stop the cloning of these devices.