2018-12-18 16:17 |
On Tuesday December 18th, we released the firmware update 1.7.2 for Trezor One devices. This is a release which brings support for sending OMNI assets. OMNI is a platform built on top of Bitcoin used by various cryptocurrencies such as Tether. It also fixes a security issue located in the U2F subsystem that we have discovered internally on November 26th.
Please note that several other vendors are also affected by this issue, which influenced aspects of our disclosure process. We would like to thank these vendors for their immediate response and willingness to release their updates so quickly.
The vulnerability consists of an information disclosure in the initial handshake of the U2F protocol which could potentially be leveraged to extract sensitive data. It was found during research by Christian Reitter (independent security researcher working closely with SatoshiLabs) in coordination with Dr. Jochen Hoenicke (security researcher at SatoshiLabs) and was immediately disclosed.
After assessing the impact on the Trezor One, Christian identified a number of external open-source projects which also used the affected data structure and began a coordinated responsible disclosure to inform them confidentially over encrypted and authenticated channels. During this process, we have worked with several projects to help them determine the practical impact on their project. All projects have agreed to the proposed coordinated disclosure.
There is no evidence that the vulnerability has been used in practice. However, we encourage everyone to keep their Trezor devices up-to-date at all times.
Details about the U2FHID_INIT_RESP information leak vulnerabilityBackgroundThe open Universal 2nd Factor (U2F) standard is a strong second factor security mechanism that helps user to keep their important accounts safe. Two factor authentication systems help in the unfortunate event that account credentials are e.g. stolen by malware. In this scenario, despite obtaining username and password, an attacker will be unable to derive the cryptographic key held within the U2F device and is blocked from authenticating successfully without it to sites that have this protection enabled.
The Trezor One enumerates as a standard U2F HID USB device to fulfill its role as a fully featured U2F hardware token. This functionality was developed on the basis of the C/C++ reference implementation for U2F by Yubico, one of the companies that created this security standard. This reference implementation defines essential data structures & protocol characteristics and is therefore used in parts for several other U2F implementations such as the Trezor One, and the affected data structure originates there.
At the beginning of each U2F session, host computer and U2F client device perform a basic two-way handshake before any cryptographic request such as a site authentication is issued. This handshake contains the information leak that is described in the following paragraph.
IssueThe C struct `U2FHID_INIT_RESP` represents the U2F message payload of the U2FHID_INIT handshake reply sent by the Trezor. It is intended to store 17 bytes as defined by the FIDO U2F HID specification. However, due to automatic optimizations related to memory layouts and address boundaries, this particular struct is transparently padded to a new size of 20 bytes by default during compilation. The resulting three additional bytes of hidden data are inaccessible through the regular struct fields, but the `sizeof()` value is increased. This configuration is referred to as an unpacked struct and compilers generally do this to speed up accesses. However, only a minority of structs will be padded, making this behavior easier to miss in practice.
In the `u2fhid_init()` function, `U2FHID_INIT_RESP` is used directly to assemble the message contents of the reply message, and during this process, every regular data field is overwritten with valid data. However, since the struct memory area was not cleared with zeros during initialization and the three hidden data bytes are never written to, these three bytes still contain the raw data that was present in this memory area during the struct initialization, which represents discarded memory of previous Trezor operations.
U2FHID_INIT_RESP resp;// several write operations to the regular resp data fields
// [...]
memcpy(&f.init.data, &resp, sizeof(resp));
At the end of `u2fhid_init()`, the memcpy copies all 20 bytes including the problematic trailing bytes into the packet transmit buffer, from where they are transmitted over USB with each U2FHID_INIT packet.
ImpactThe information leak consists of three memory bytes. The returned value have been observed to be stable between subsequent U2F handshake packets and device reboots, but can vary depending on previous actions on the Trezor. This behavior suggests that particular memory contents such as the existing stack protection defense mechanism are likely not impacted. Additionally, Trezor functions that handle sensitive data are designed to scrub the memory areas of the relevant variables before discarding them, which reduces the probability that the information leak can directly expose sensitive data. This can be seen as a mitigating factor, but we are taking no risks and have moved forward to release a patched firmware as soon as possible. This is also motivated by the fact that the problematic function can be invoked without any form of authentication and is not protected by the PIN, because of the U2F design.
Please also note that due to memory layout differences, the exact leak behavior will differ between firmware versions and vendors.
How does this affect the Trezor One?The described vulnerability can be used by an attacker with local access to the U2F interface to read a small area of previously discarded memory of the Trezor One. During research, we have so far been unable to escalate this to any meaningful compromise or exposure of sensitive data.
How was the issue fixed?The bug was fixed by correcting the memory layout of the affected struct via the __attribute__((packed)) and overwriting it with zeros upon initialization.
Timeline2018–11–26: U2FHID_INIT_RESP information leak is discovered2018–11–30: Advance notice to vendor #22018–12–05: Disclosure to vendor #22018–12–12: Disclosure to vendor #32018–12–15: Disclosure to vendor #4 (no practical impact)2018–12–18: Coordinated public disclosureFrequently Asked QuestionsIs my Trezor One safe?The described vulnerability can be used to read a small area of discarded memory. During research, we have so far been unable to escalate this to any meaningful compromise or exposure of sensitive data. In addition, there is no evidence that this vulnerability has been used in practice. However, we encourage everyone to keep their Trezor devices up-to-date at all times.
Is Trezor Model T affected?The Trezor Model T is not affected by this vulnerability.
I am about to buy a new Trezor One. Will it be affected?No. Trezor devices are shipped without firmware preloaded, therefore latest available firmware will be installed upon the first use of the device.
How to update the firmware?At the time of writing, the new firmware 1.7.2 is optional and available from our web wallet. We encourage you to update, as this brings you the latest security fixes. For firmware 1.6.2, 1.6.3 or 1.7.1, the update process is straightforward.
If you use older firmware (1.6.1 and older), you will first need to update to firmware 1.6.3. We have added a functionality to our web wallet which will update your Trezor in two steps, if required.
Please note that if your Trezor One device is currently running firmware version 1.6.1 (bootloader version 1.4.0), your device memory will be wiped after this update. Please make sure you have the correct recovery seed with you, as you will need to recover your Trezor device from seed backup.
You can test your recovery seed before you update device firmware.
Are other hardware wallets affected?Yes. As described previously, we have disclosed the issues to several affected vendors, which includes two hardware wallet vendors, and cooperated with them to resolve the bugs.
All hardware wallets that include the U2F code of the Trezor One are most likely vulnerable.
Revisions to this document2018–12–18 14:00 CET: Original release.About SatoshiLabsTrezor Model T is the next-generation hardware wallet, designed with experiences of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.
Trezor One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.
SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly Trezor, the world’s first cryptocurrency hardware wallet, or CoinMap.org, the primary resource for bitcoin-accepting venues.
Details about the security updates in Trezor One firmware 1.7.2 was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
origin »