Kann die Seed-Phrase vom Trezor-Gerät extrahiert und über das Internet gesendet werden?
- Dieses Thema hat 11 Antworten sowie 1 Teilnehmer und wurde zuletzt vor vor 1 Jahr, 8 Monaten von
aktualisiert.
-
Beiträge
-
-
Überraschenderweise haben die Leute nach vielen Jahren in letzter Zeit gelernt, dass bei Ledger die Seed-Phrase immer über eine Firmware extrahiert und über das Internet übertragen werden kann, und es ist nur eine Frage des Vertrauens der Benutzer, dass Ledger sich ethisch verhält und keine Firmware installiert, die die Seed-Phrase extrahieren und ohne Wissen der Benutzer über das Internet senden kann & Genehmigung.
Ich verstehe, dass Trezor eine offene Quelle ist, aber ich bin kein Techniker, um Dinge zu verifizieren. Meine einfache Frage ist: Kann die Firma Trezor unter irgendwelchen Umständen (Regierung zwingt Trezor oder Gerichtsbeschluss oder was auch immer) die Seed-Phrase bestimmter Trezor-Brieftaschen extrahieren und über das Internet an sie oder eine beliebige Entität senden, oder ist es eine unmögliche Mission, da wir davon ausgehen, dass das Trezor-Gerät selbst nicht in der Lage ist, die Seed-Phrase zu extrahieren und über das Internet zu senden, weil es so konstruiert ist/ist?
Ich hoffe, ich bekomme eine Antwort vom Mitbegründer von Trezor und kann das bitte klären.
-
In order for Trezor to do so, they first need to update the firmware on your specific device. This would mean that the Satoshi Labs offices are compromised. Then they would have to release the code through GitHub and thousands of people would review it. After that, they may be able to install malicious firmware on your Trezor if you accepted it.
​
This is highly unlikely to happen, but not impossible.
​
Even after that, how would the government know which person to target? I mean, they could have all the crypto held by Trezor holders for example, but it is much easier to just make crypto illegal.
-
-
> under any circumstances (government forcing Trezor or court order or whatever) can Trezor company extract seed phrase of certain Trezor wallets and send it over internet to them or any entity
Yes
Trezor, Ledger, Coldcard, Bitbox, Keepkey, and likely any other HW wallet you name has the ability to capture the seed at initialization, or read it out of the secure element. Same goes for any OS and SW wallet combo including Tails and QubeOS.
There are no safe choices. Ledger’s claim was always dubious.
> This Secure Element (that only we have specs for) is a write only part (which only we can verify) and our firmware interaction with it (that is closed source) can never touch it.
Trezor talks about [why they picked STM32](https://blog.trezor.io/28d23f8949c6) instead of being legally bound to a microcontroller maker that forces all firmware to microcontroller interfaces to be hidden (closed source)
https://blog.trezor.io/28d23f8949c6
> I hope I get an answer from the co founder of Trezor and clarify it please.
He’s stated in the article above that STM32 is readable. What’s more, any seed setup mechanic will always go through firmware and, in closed source implementations, could always be cached.
Instead of waving their hands and declaring their magic box safe, they opened it up to the world to see and dared all to find bugs. And many have. And they have been fixed.
There is no safe solution. Either the firmware or OS will always know some secrets. I’d prefer to trust the dozen developers at Trezor to the 10,000 developers at Microsoft or the 5,000 developers at Canonical. You may choose differently.
My MUCH longer rant about opensourciness and why it helps, can be found here:
How Open-Sourciness Prevents the Ledger Seed Issue
byu/brianddk inTREZOR -
> surprisingly after many years people have learnt recently that with Ledger, it has always been the case the seed phrase can be extracted via a firmware and transmitted over internet
This is incorrect. All hardware wallets store your seed — that is how they sign transactions.
Ledger is adding the ability for the seed to be shared and shared with its partners if you opt into their paid service.
It is not true that that „has always been the case“
Sure, Trezor can add the same feature if they want. But that feature is not in the firmware now (and we know that because it’s open source) and it is highly unlikely that they will ever add it.
-
-
Segregated wallets allow us to NOT rely on a single brand… without having to mess around with recovery backups.
Could be interesting to use a dedicated BIP39 child phrase with your Trezor.
If 1 seed phrase is compromised = it’s not so bad.
Learn more below.AirGap Vault (BIP85): https://youtu.be/JVuURYQkhxg and https://support.airgap.it/guides/bip85/
Coldcard (BIP85): Segregated Bitcoin Accounts From One Seed. https://youtu.be/cRRB_WzZpTM and https://bip85.com/
Jade (BIP85): https://help.blockstream.com/hc/en-us/articles/15844055048857-How-do-I-generate-a-child-recovery-phrase-using-BIP85-
Seedsigner (BIP85): https://seedsigner.com/ Release 0.6.0 = https://github.com/SeedSigner/seedsigner/releases/
The page of BIP39 Tool of Ian Coleman saved on a USB Drive with Tails offline: https://iancoleman.io/bip39/ then check the box “Show BIP85” + https://tails.boum.org/install/download/index.en.html
-
-
-
-
I expect to see a sell off now of all the tokens which are not on Trezor. Let’s hope Trezor starts adding those soon.
​
For example, Ledger started adding a Memo „LEDGER LIVE“ for every ATOM staking transaction one makes! I saw a post on that topic in Ledger, and it was confirmed, but Ledger does not address that post as well.
​
Why would they do this, if they are not controlled now by the IMF!
-
-
- Du musst angemeldet sein, um auf dieses Thema antworten zu können.