Antwort auf: Frage zur Sicherheit von Trezor
I’m going into tin-foil-hat territory, but it seems like one thing we must trust when installing firmware from the manufacturer (Ledger or Trezor) is that they don’t have any ill intent.
If they do (under pressure from a government or if taken over by a crypto-hostile agency that wants to destroy crypto industry), it sounds like the company could product an „authentic“ (digitally signed by the company) firmware which would then be able to extract and transmit your private key info (when used in conjunction with a desktop or mobile app or plug-in/extension that interacts with the hardware wallet.
This seems to be a risk for Trezor or Ledger or any other hardware wallet company that provides firmware updates.
Can someone explain in some detail how Trezor being open source reduces this risk?
While I know the source is published so it can be viewed, exactly what steps are performed by Trezor and/or the community to confirm that the firmware you download from Trezor is running the same code that was published.
Basically, I’m trying to get a better understanding of the amount of trust we are putting in the wallet manufacturers and how easily these manufacturers could betray that trust without detection if they chose to do so.
While not a huge concern right now, the Ledger thing got me wondering about this and I was thinking the risks of this become greater the more dominant any one wallet manufacturer becomes.