Boosting Trezor Model T Security with SD-Protect & Wipe Pin (Full Guide + Install TrezorCTL)
Вставка
- Опубліковано 20 сер 2024
- Like my Bitcoin Wizard Mug, get one @ Amazon: amzn.to/2TP8aia
A quick guide that looks at how to install the TrezorCTL tool as well as use it to enable SD-Protect and Wipe-Pin for a Trezor Model T hardware wallet. This advanced feature offers a significant boost in security and goes a long way to mitigate the key extraction attacks that were demonstrated (impacting Trezor and Keepkey devices) over the last 12 months.
---------------------
If you are new to Crypto, my suggestion is that you start with buying ~$150 worth of Bitcoin, Ethereum, Litecoin @ Coinbase and get familiar with storing it, moving it around, etc.
For your first purcahse, just stick with CoinBase: www.coinbase.c...
For Trading, just start with Binance: www.binance.co...
By sticking with large, reputable exchanges for your first purchase (Coinbase) and first trade (Binance) you can avoid getting scammed right at the start by purchasing a non-existing coin off a scammy exchange. (You would be surprised how many people fall into this trap)
Don't have a hardware wallet?
Be safe and buy them direct from the manufacturer. (Not just through some random on eBay, Amazon, etc)
Get a Ledger: shop.ledger.co...
(If you are just starting out, I would just recommend a Ledger Nano S)
If this was helpful, feel free to send me a tip:
BTC: 37hiiSB1Poj6Shs8WawPS2HjT2jzHkFSQi
BCH: qr9qenlgjh0xlyz802h70ul69rpdj8z6qyuh7m79ah
LTC: MRWnUcsyofisVp5GvX7nxMog5caneycKZ6
ETH: 0xCe41d43349E1c8C53E02631650E236d94A899a95
VTC: vtc1qxauv20r2ux2vttrjmm9eylshl508q04uju936n
ZEN: znUihTHfwm5UJS1ywo911mdNEzd9WY9vBP7
#bitcoin #btc #ethereum #eth #cryptocurrency #crypto #ledger #trezor #security
Thank you. I dont even have a Trezor, but I like your knowledgeable videos.
Thanks, been a bit Trezor heavy, but will be giving some more attention to Ledger stuff from next week :)
Thanks a lot for the easy explanation!
No worries, hopefully it will make it's way into the normal Trezor wallet interface eventually :)
Interesting video and clear explanation. Would be interesting to have a way to then password encrypt that SD-card, but that would probably render it unusable for the Trezor? It's a bit like a yubikey 2FA (3FA).
You could store an encrypted backup of the SD protect data of you wanted and just restore it as required if you really wanted to.
@@CryptoGuide true, that would be an interesting option for long term (cold) storage. Shamir backup in different places in steel casing, model t with advanced passphrase in different location, encrypted SD-card in different location. But I suppose for long term storage you might get rid of the Trezor and simply store the shamir backups.
Well yea that's right. For any long term storage, you need to focus on storing the seed/shamir backups, not the Trezor itself. :)
Open a way to save the passphrase on the SD and not have to enter it every time Trezor asks for it in a transaction?
No
So it's basically 2FA for the trezor?
Exactly that, yea. (Sort of three if you count Trezor + SD + Pin)
@@CryptoGuide add a passphrase too and ur good to go!
Well yes and no, SD protect doesn't add any complexity to your backups in the way that adding a BIP39 passphrase does.
If you lose SD card,can u access crypto stored inside ?
Not with the Trezor, no, but you can still use your seed. You would just need to re-initialise the device with your seed phrase and you would be good to go. You could then re-enable sd-protect at some point in the future if you wanted.
@@CryptoGuide Thank you. But can be reinitialized TREZOR without SD card ,or i must buy another TREZOR?
Once wipe the Trezor it is back to the state it was when it was brand new. You can just reinitialise it like normal. The only device on the market that can't be fully factory wiped/reset is the Coldcard... For everything else, you never need to buy a new one, just wipe it...
@@CryptoGuide Thank you for your time and answers.
.
Si van a comprar un Trezor T piénsenlo bién, la pantalla tactil es problemática en algunos casos falla o no responde como debe. Si quieren un Trezor, mejor elijan el Modelo 1
The Trezor one is certainly great value
But PIN/Seed can still be extracted with the known exploit, no? The MCU is still vulnerable as before and there is no Secure Element.
Not if you are using SD protect and have the SD card removed. The keys are encrypted via the pin, but previously, a purely numeric pin meant that extracted data could be easily brute-forced in a few minutes. The MCU is still vulnerable, but SD protect is basically like introducing a massively long and random PIN where part of it is stored on the SD card. (So to be able to do a key extraction, the attacker would need the SD card too)
@@CryptoGuide I get it now. Interesting. Thanks for taking the time to clarify, appreciate it.
.
I thought the wipe pin does work for the first Trezor as well...
That's correct, the wipe code bit will work with a Trezor One :)
@@CryptoGuide Is there a Trezor Command Line for Ubuntu?
@@coddiwompler59 it's actually just done in python, so works on the same cross platform. The Trezor wiki covers it here wiki.trezor.io/Using_trezorctl_commands_with_Trezor
If you get totally stuck, I can put together a short TrezorCTL only vid for Ubuntu
@@CryptoGuide Yes pls. I am not quite comfortable with Command line. Video is a bit easier to understand. Thanks for your help here. Much appreciated.
.
Is there a minimum size required for the sd card? like would an 8gb one work?
A 16mb one would be fine
Interesting video. Am I correct in thinking that by using the SD card protection that the PIN and seed can't be extracted using the known exploit even if not using a passphrase?
That's exactly right, as long as the attacker doesn't have the SD card they can extract the data, but can't decrypt it.
Crypto Guide Many thanks for your reply. Subscribed.
.
Thanks for the video. Highly informative on the topic, but I am more and more confused on another topic... I only want to use it as a FIDO2 password manager so that I can have different passwords for different sites that I don't have to remember. Do I still need the SD-Protect feature to be sure the device is secure or the exploit was fixed since you post the video? if so, you mentioned at the end that that sd card should not be in the device all of the time. Does this mean that I will have to carry the device and the sd card in my pocket separately and plug the card every time I want to login to yahoo for example? Thanks in advance.
Firstly, the key extraction method for Trezor and Keepkey devices cannot be fixed or patched without a complete hardware redesign. (As it is a fundamental weakness in the design) Basically behind SD protect is that it writes some extra random data to an SD card that is used to protect the secrets stored on the device. This is why, if you just leave the SD card in there all the time, it doesn't really protect you if someon happened to get their hands on the device.
That said, if you are mostly interested in FIDO2, and not storing a bunch of crypto, the key extraction attack is far less significant as there are generally options to regain access to digital services and accounts. (Unlike with Bitcoin where once it is gone, there is no way to recover it) Even without any SD protect or anything, adding hardware authentication to your logins like this offers significant protection against remote attacks and malware.
Great video. Do you have a version for Trezor One? Thanks.
The process to install the command line tools is the same and Trezor One doesn't support sd-protect.
Does this completely eliminate physical vulnerability? Also, does this hinder everyday usage when using metamask? (is there extra step you need to go thru to confirm transactions?)
It mitigates the physical attacks as long as you don't just leave the SD card in there all the time.
In terms of operation, it doesn't add any additional complexity, device just functions like normal.
Can you use a bip-39 passphrase and SD protect at the same time?
Yep, you can still use all the features of the device regardless of whether you are using SD protect.
Does SD protect prevent use of U2F if you don't have the SD card inserted?
Yes, SD protect prevents the device being unlocked, so your PC won't even see it as being connected until you have unlocked it with the correct pin + SD card inserted.
Cn you have multiple sd card or one one per trezor? if you would like to keep a couple like shards in various safes or wtv?
You need all of it on one SD card to unlock, but you can make copies of the SD protect files and it will work fine. (And back these up however you like)
@@CryptoGuide i appreciate the quick reply, sheers 🤟
.
Hi. I see that you're knowledge about Trezor are extensive. Can you tell me if can be generated a longer password (50-100 characters),in password manager with Trezor T? Thank you.
I just tried with storing a 2048 character password and it worked fine. (Generated through an external app) In terms of the passwords the Trezor password manager itself generates, they are all 16 characters long.
@@CryptoGuide Thank you for your answer.
.
Bro what if the SD Card is corrupted already what should I do? Can I still take my assets inside the wallet even it is corrupted?
If you have enabled SD protect and the card is then lost or damaged you will need to wipe the wallet and reinitialise it with your recovery seed.
@@CryptoGuide i see meaning i need to wipe the trezor and do the same procedure again to activate sd card protect. Thank u
That's right
When I do trezorctl list nothing happens
Does it say something like 'trezorctl' is not recognized as an internal or external command,
operable program or batch file.
@@CryptoGuide no it says Traceback (most recent call last) :
File "/Library/Frameworks/Python.framework/Versions/3.9/bin/trezoretl", line 5
, in modules
from trezorlib.cli.trezoretl import cli
File "/Library/Frameworks/Python. framework/Versions/3.9/lib/python3.9/site-pac
kages/trezorlib/cli/trezoretl.py",line191,in
@cli.resultcallback)
AttributeError: 'TrezoretlGroup' object has no attribute 'resultcallback'
Ah riteo, I just re-downloaded the Trezor libs off PyPy and it's broken at the moment.
Basically you will need to force it to use a lower version of the click package, so the comamnd for this is: pip3 install "click
@@CryptoGuide you are the man I knew I was in trouble when I said forgot doing this on max went to windows and ran into the same thing. Appreciate you
Hey Armando Gomez, good to hear, feel free to shoot me a tip at www.reddit.com/user/Crypto-Guide/comments/czy13u/a_post_or_video_of_mine_was_helpful_feel_free_to/ :)
Also the wipe pin unlock gives the game away. I’d rather it not make it so obvious.
It might give the game away but there is basically a school of thought where it's sometimes better to be physically unable to access the funds there and then (or quickly create this reality) as opposed to simply chosing not to our trying to trick the adversary in to thinking you don't have anything.
Any promo code?
Not at this time, but black Friday sales probably aren't far off.
Enjoy your content but ...please speak a little more slowly. I'm old and can't hear fast anymore.
Will take that on board If it helps, you can also decrease the playback speed on UA-cam to 0.75