- Do not allow anyone physical access to your Trezor wallet
- You could permanently lose your crypto
- Enable Your BIP39 Passphrase with the Trezor Client
This passphrase is a bit clunky to use in practice but is not stored on the device and therefore is a protection that prevents this attack.
This attack is very similar to our previous research against the KeepKey wallet, which is expected because the KeepKey is a derivative and all devices rely on the same family of chips. Trezor has known about these flaws since designing the wallets.
Other teams, like Ledger Donjon, have also performed variants of this attack, though the full details have not been made public until now.
Read the full article on Kraken.