Many users will have received an email in the last few hours about the upgrade of their hardware wallet that has been updated to v1.9.3 for the Trezor One model and v2.3.3 for the Model T model.
Well these updates contain a patch to a „man in the middle“ attack that allowed to recover the hardware wallet passphrase and then steal all the funds.
The feature of tools like Trezor is that they create a wallet and all the addresses derived from it Crypto Investor start from the same seed phrase, so just enter this to access all the wallets.
What is the flaw on Trezor?
This attack was explained by the team that discovered the leak and brought it back to Trezor’s team, getting a reward for the bounty.
It was explained how once the passphrase is entered there is no further control whether or not the user actually confirms the entry.
And it is here that, by modifying any wallet, we can take advantage of a „man in the middle“ attack and then, once the passphrase is obtained, criminals can move the victim’s funds since there is no confirmation or warning from the hardware.
Moreover, the breach can be exploited to put out the same user and then ask for a ransom in order to unlock the hardware wallet.
Of course there is also to keep in mind the complexity of the passphrase used and it is good practice to use different letters, numbers and special characters or a series of words from a list, which falls under BIP-039.
Remember that this is the umpteenth vulnerability that this wallet has had to solve in a few months, showing that not always a hardware wallet is the right choice or that you must always be vigilant about the type of wallet you use.