With the invention of the original Trezor One hardware wallet almost a decade ago, SatoshiLabs gave birth to a new industry, focused on securing digital assets. This industry has since grown to hundreds of manufacturers, each attempting to innovate on top of the design principles laid out in our original, open-source plans. There are over 200 contributors on our GitHub. Over fifty wallets are either direct clones of Trezor or use Trezor’s source code as their core. Examples of such hardware wallets are Coldcard, Keepkey, and Passport.
To advance the industry more quickly and prevent any company from monopolizing security, everything that goes into Trezor is open source, bringing many benefits to the community. If we give out all our ideas for free, what unique selling propositions remain? Why buy a Trezor wallet instead of a clone? To us, USP stands for usability, security and privacy.
When thinking of how to improve our wallet firmware or software, it is always usability which comes first. We carefully select what features are added to our wallet, with a main criteria being whether it will make it easier for people to use Bitcoin. Bitcoin is still experimental technology and therefore some features can be complicated for the average user to make use of. We find ways to simplify them, with a strong track record of contributing improvements both to Bitcoin protocols as well as Trezor functions.
We also regularly contribute to the many open-source projects we use in our products such as Bitcoin, Electrum, MicroPython, FIDO2 libraries, NixOS, Tails, etc. In doing so, we put usability and interoperability at the forefront, while also learning a lot about the broader ecosystem that Bitcoin is only a small part of. This is mutually beneficial as it not only improves Bitcoin by integrating well-supported projects, but it also enhances Trezor’s capabilities through the improvements these tools continually bring to the technological landscape.
Trezor is a driving force behind Bitcoin standards
Bitcoin Improvement Proposals, known as BIPs, aim to improve the security and usability of bitcoin. Trezor has created a number of standards (such as BIP39, BIP44, BIP84) which are now used by literally all hardware wallets and a vast majority of the software wallets. If you take a deeper dive into these standards, you will see how SatoshiLabs has succeeded in simplifying Bitcoin wallet recovery immensely in BIP39 by introducing the now-ubiquitous mnemonic seed word recovery process, which was once simply made up of a long random number.
This usability focus extends further, into simplifying the user experience while encouraging them to make use of privacy features inherent to bitcoin. BIP44 and BIP84 let users manage a whole bunch of wallets under one account, letting you better manage your funds. This allows you to separate wallets which you want to be public — for receiving donations, for example — from those you want to keep hidden, such as your main savings account. It also made it much easier to create backups as your accounts could all be recovered from one seed.
Complexity is Harmful
Bitcoin is still fairly complex for many people, which is why we recognize the need to improve not only the technology itself but also the interfaces which people use to interact with it. Usability is one of the key criteria behind everything we develop because it is a huge barrier to adoption. Introducing things like wallet labeling, estimated transaction fees and general user experience improvements are part of this. While we support advanced features for the users who know what they’re doing, we also expect to simplify those as demand rises. We believe in creating a universal product that doesn’t introduce unnecessary complexity, no matter the end goal.
As an example of this, last year we created an improvement to the mnemonic seed (BIP39), called Shamir Backup (also known as SLIP39). It offers greatly improved security by splitting a seed phrase into multiple component parts, which must be used together to grant access to a wallet. This feature is excessive for many people new to bitcoin or with small holdings, but for people searching for tighter security measures it offers a way to easily protect against theft of a backup, without relying on an overly complex process which could end up locking you out of your own funds. This feature is still exclusive to Trezor, but multiple hardware wallet vendors have pledged to implement support for it in the future, once again showing Trezor’s advancements leading the push for usability in security.
These standards have proven themselves essential for interoperability between various implementations of wallets, making it possible to seamlessly migrate funds from one wallet to another without any issues. Even outside of crypto, these improvements are finding new uses, such as in GrapheneOS, a security and privacy-centric Android distribution, which uses the BIP39 seed phrase to backup the storage encryption keys. In Trezor, SatoshiLabs have built an easy-to-use, unified environment that covers buying, selling, saving and storing bitcoin, no matter your expertise.
Bitcoin exists on a network, accessible by anyone, so there is no way to take your Bitcoins offline. Instead, to protect from network attacks, Trezor wallets keep your private keys shielded from any network, meaning that no-one can move any bitcoin you own, even if they know your public key and the address where your bitcoins are stored. This is the principle behind all hardware wallets which exist today.
One of the biggest threats when you send bitcoins is malware attempting to send your funds to an address other than the one you specified. Trezor is engineered in a way that such attempts are revealed when you confirm the transaction on the device. This means that while malware may infect your browser and hide the fact that it’s sending your funds elsewhere, your Trezor will show exactly where it’s being sent so you can cancel the transaction.
Collaboration Improves Security
SatoshiLabs is rooted in bitcoin’s cypherpunk legacy, which is why Trezor has been an open-source project since the beginning. This means Trezor is fully auditable, with no hidden places where potential backdoors can reside. This also means we are able to invite anyone who wants to, to build their own Trezors in case they don’t want to trust us or our funny accents. Plenty of people in the community have already done so:
- Voltlog’s Making My Own Trezor Crypto Hardware Wallet
- Stellaw’s Dinosaur Hip Hop Zero dev kit
- Mcudev’s Trezor One and Trezor Model T dev kits and guides
- Tom Fuerstner’s Experiments (tweet, tweet, tweet)
There are even proprietary Hardware Security Modules based on Trezor such as Subzero Cold Storage by Square, which is used to store Bitcoins for its Cash App users. And you can find Trezor code running on the HTC Exodus blockchain-focused phone or even on a Mercedes EQC 400!
- Unchained Capital (blogpost)
- ShapeShift (tweet)
Trezor has a Responsible Disclosure / Security Bounty program
Security is a process consisting of many moving parts. There are dozens of attack surfaces which must be addressed and it is unfeasible for a small team of developers to protect against all of them at once. That’s why we make security a collaborative effort. We enlist the help of security experts from around the world to make sure our devices are tested in every possible scenario.
Not only is Trezor code open-source, allowing the code to be fully audited, but we actively incentivize security researchers to look into our code by having a Responsible Disclosure / Security Bounty program. This means that if they responsibly disclose a real vulnerability in our products, we pay them a bounty after the issue is fixed. This led Trezor to receive a lot of constructive scrutiny in the beginning, costing hundreds of thousands dollars for the bounties and resulting in a far more secure product. Earlier, we mentioned that around 50 wallets use our code, meaning they also receive the same scrutiny and security fixes for free!
Why Transparency Matters to Security
It is never enough to rely on internal security teams’ testing processes to create a secure product. No matter how many possible vulnerabilities you account for, a hacker will find another way in. To account for this, we open our testing to everyone, so the same hackers who might launch an attack are instead given a reason to help patch it, in the form of bounties. This is a great practice which is widely recognized by some of the biggest names in information security. Many other widely used hardware wallet vendors do not do this and therefore have a limited number of attacks which they can protect from.
Some of our competitors instead rely on closed-source products which are marketed as secure, but offer no information about how that security is achieved. This means that they have only been tested by an internal team, or have been granted a security certification based on a limited list of criteria. Closed security does not work because vulnerabilities are bound to exist, even if they have not been found yet.
There has been criticism in the past that Trezor does not use a secure element for assuring physical security. During our experiments in the past, we realized that no secure element meets our high standards and therefore, not wanting to go down the path of selling snake-oil, we started a separate project, Tropic Square which will deliver a secure element for use in Trezor and other critical applications.
Without knowing how security is achieved, it is impossible to trust that a product is secure, and those companies creating so-called secure elements use non-disclosure agreements to prevent anyone from revealing vulnerabilities if they are found. A global asset like Bitcoin needs to withstand any attack imaginable, and therefore needs to be vetted by experts from all over the world to account for an almost infinite spectrum of potential attacks.
Privacy and security are not the same. It is possible to have a secure system while still revealing data that makes you a target for attackers. This is therefore a guiding principle in Trezor’s design. For starters, all our sales are anonymized, meaning that no data about our customers is kept on internal systems for more than 90 days. Given recent data leaks affecting our competitors, we take comfort in the knowledge that even if our databases were breached, there would be very little data that the attackers could take.
We want all our customers to think about privacy because it is one of Bitcoin’s great advantages over conventional currencies. While the bitcoin transactions are transparent, meaning anyone can see how much bitcoin is stored at a certain address, there is no reason why you need to associate your identity with that address. Doing so could make you a target for theft, allowing an attacker to focus their attention on extracting personal information about you in the hopes of discovering your passphrase, seed or even where you live. At a political level, it could also allow governments to impose disproportionate taxation or other penalties on their citizens based on their ownership of cryptocurrencies. Bitcoin is apolitical and its privacy mechanisms should be seen as a tool for actively resisting such abuses of power.
At SatoshiLabs, we are not interested in knowing about you. Our Trezor devices are fully equipped to help you disconnect from us entirely. We allow you to use your own backends or manage your funds using your hardware device with third-party software if you wish. Even if our company goes bankrupt, our source code remains available, and in the face of technological obsolescence you will have access to all the tools you need to manage your coins. In the meantime, we are actively working on implementing new tools which help resist heavy-handed regulations that threaten bitcoin’s privacy functions.
Because we do not want you to feel obliged to depend on our servers, we also open-sourced our own backend called Blockbook. You can download it and run it on your own. There are hundreds of businesses doing that already and they use Blockbook as their backend for tracking coin balances, such as OpenBazaar, Magnum Wallet, and Atomic Wallet.
Security cannot come at the expense of Usability
Trezor is striving to create a 100% auditable security environment that both beginners and long-time bitcoiners alike can easily use. We see it as essential that our product grant users access to all the functions of bitcoin without exposing them to easily-misused functions.
Trezor is an active part of the development community and uses its resources and reach to educate users, allowing them to take advantage of all of bitcoin’s benefits without exposing them to the guts of bitcoin technology. By buying a Trezor you are not only getting a hardware wallet but you are funding the whole Bitcoin and cryptosecurity ecosystem, one which Trezor has proven itself to be an essential cornerstone of.
As we have grown we have sought out ways to make our security more robust while retaining the ease-of-use our customers are familiar with. The next steps we are taking are guided by expansion into providing even greater security, privacy and usability, in a comprehensive strategy to ensure we remain the most reliable and usable wallet on the market. We are glad to have your support and expect that our upcoming developments will enhance the Trezor experience in all the right ways, so keep an eye on our social media for when they’re announced.