Software update: Trezor One 1.7.1




Trezor has released the Trezor One new firmware for its hardware wallet with 1.7.1 as version number. This allows you to manage your cryptocurrency in a secure manner by storing the private key, the key with which you can make payments, outside your computer or smartphone. It supports more than 600 different cryptocurrencies and cryptotokens, such as bitcoin, ethereum, ripple, monero and zcash. The announcement of this issue is as follows:

Details about the security updates in Trezor One firmware 1.7.1

On Monday October 29th, we released the firmware update 1.7.1 for Trezor One devices. Besides functional improvements, it contains security fixes for two related issues that we learned on September 26th and October 24th, respectively.

Due to defensive techniques present in the firmware, the memory corruption triggered by both vulnerabilities activates a controlled shutdown of the Trezor One. This prevents a more dangerous outcome. It is only a remote denial of service attack that does not impact the security of the stored data.

Please note that several other vendors are also affected by different issues, which influenced our disclosure process.

The first vulnerability is a buffer overflow present in the bech32_decode function which is contained in code written by Bitcoin Core developer Pieter Wuille. It was found during fuzz testing research by Christian Reitter (independent security researcher working closely with SatoshiLabs) in coordination with Dr. Jochen Hoenicke (security researcher at SatoshiLabs) and immediately disclosed.

After assessing the impact on the Trezor One, Christian identified a number of open-source projects that have also been dealt with in encrypted and authenticated channels. During this process, we have worked with several projects to help them determine the practical impact on their project. Pieter Wuille has confirmed the bug. All projects have agreed to the proposed coordinated disclosure.

After disclosing the bech32_decode issue to Ledger in a later stage of the disclosure process, Ledger notified SatoshiLabs that they had found this issue and a second variant of the vulnerability in the cash_decode function. This function is present in bech32-derived code in the trezor-crypto library, and therefore relevant to Trezor-based projects. This buffer overflow is reliably detected on the Trezor. We thank Ledger for informing us about this issue.

There is no evidence that the vulnerabilities have been used in practice. However, we encourage everyone to keep their Trezor devices up-to-date at all times.

How to update the firmware?
At the time of writing, the new firmware 1.7.1 is optional and available from our beta web wallet. We encourage you to update, as this brings you the latest security fixes. For firmware 1.6.2 or 1.6.3, the update process is straightforward.

If you use older firmware (1.6.1 and older), you will need to update firmware 1.6.3. We have added a functionality to our web wallet which will update your Trezor in two steps, if required.

Please note that if your Trezor One device is currently running version 1.6.1 (bootloader version 1.4.0), your device memory will be updated after this update. Please make sure you have the correct recovery seed with you, as you will need to recover your Trezor device from seed backup.
Version number 1.7.1
Release status Final
License type Conditions (GNU / BSD / etc.)


In: A Technology & Gadgets Asked By: [23646 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »

Star Points Scale

Earn points for Asking and Answering Questions!

Grey Sta Levelr [1 - 25 Grey Star Level]
Green Star Level [26 - 50 Green Star Level]
Blue Star Level [51 - 500 Blue Star Level]
Orange Star Level [501 - 5000 Orange Star Level]
Red Star Level [5001 - 25000 Red Star Level]
Black Star Level [25001+ Black Star Level]