Home
News
Details

Trezor Discloses Hardware Vulnerability in Safe 7, Funds Remain Secure

icon币界网
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
Trezor disclosed a vulnerability involving the TROPIC01 security chip in its Safe 7 hardware wallet. The issue, discovered by Ledger’s Donjon team using laser fault injection, enables extraction of one of three PIN protection secrets, reducing the Safe 7’s physical security to two layers—though user funds remain secure. The attack requires physical access, device disassembly, and specialized equipment, making it impractical for average users. Cyvers noted that real-world threats such as phishing and dApps pose greater risks. The vulnerability cannot be patched via firmware, and Trezor has not commented on potential refunds.
CoinDesk reports:

Trezor has disclosed a hardware-level vulnerability in the TROPIC01 security chip used in its flagship hardware wallet, Safe 7; however, user funds remain protected under current attack conditions.

The vulnerability was discovered by an independent audit.

This issue was identified by Donjon, Ledger’s independent security research team, during an audit. The auditors successfully extracted one of the three “secrets” protecting the user’s PIN by using a laser fault injection attack on the TROPIC01 chip.

This means that Safe 7’s original three-layer physical isolation will be reduced to two layers. However, Trezor states that merely compromising this chip alone is still insufficient to directly obtain the PIN or take control of the assets in the wallet.

The attack requires disassembly and laboratory equipment.

Trezor states that such attacks require a high threshold, including physical access to the device, hardware disassembly, and the use of specialized laboratory equipment. Therefore, the company believes the chip still provides effective protection, as executing such attacks is costly and time-consuming.

The blockchain security firm Cyvers also told foreign media that such attacks are “highly unrealistic.” The company believes that, from a practical risk perspective, ordinary users are still more commonly threatened by phishing attacks, mnemonic phrase leaks, malicious dApps, and blindly signing transactions without understanding their content.

Cannot be fixed via firmware update

Since the issue stems from a hardware-level defect, Trezor stated that it cannot be fixed via a firmware update. The report noted that Trezor has not yet responded as to whether it will accept refund requests from users.

Trezor also emphasized that users' private keys are not stored on the TROPIC01 chip, which is one reason the company believes funds remain secure. The company also stated that this vulnerability cannot be exploited to implant persistent malicious firmware on the device.

Additional information: This disclosure indicates that the associated risks are primarily concentrated in scenarios where devices are physically accessed and subjected to laboratory-level attacks, with no evidence of large-scale remote theft risks.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.