Has there been any case where a redirection malware has actually changed the destination address?
There are countless cases where user A has sent something to user B, and for some reason the coins ended up with user C (who in this case is a hacker with clipboard malware). If something like this happens we can be pretty sure it's clipboard malware, but most victims don't want to check what actually happened but follow the advice to format the disk and start with clean OS.
It should be noted that clipboard malware can hit the user of any crypto wallet, so it is an advantage to use a hardware wallet that will always ask us to confirm if the address matches. Of course, it is a good and desirable practice to always check several times if necessary, especially if we send large amounts.
When I purchased my Ledger I heard about the Trezor vulnerability. I assume they would have changed the chip since then - perhaps they have not updated it. My Ledger requires a pin to be entered to access the device and clears the seed if it fails 3 times. Are the Trezor's still hackable with a pin/password if physical access is available?
Trezor vulnerabilities cannot be literally fixed with new firmware, because the problem is in the hardware itself - which means that all existing devices that use current hardware will always be vulnerable. When and if the Trezor makes a completely new model, we can expect that it will not be exposed to that vulnerability.
As for PIN protection, Kraken has demonstrated that it is possible to create a script that will brute force a PIN consisting of 4 numbers in about 2 minutes.Therefore, one should not rely on PIN as protection because if someone has physical access to a hardware wallet and enough technical knowledge, it is only a matter of time before they will be able to extract the seed.
Additionally, because the Trezor firmware utilizes an encrypted storage, we developed a script to crack the PIN of the dumped device, leading to a full compromise of the security of the Trezor wallets. The script was able to brute force any 4-digit pin in under 2 minutes. This attack demonstrates that the STM32-family of Cortex-M3/Cortex-M4 microcontrollers should not be used for storage of sensitive data such as cryptographic seeds even if these are stored in encrypted form.
Thanks for the info. So I guess redirect malware must be prevalent enough that there have been enough documented cases. I figured a lot of them would be failures to copy/paste properly like having a previously copied address in the clipboard instead of the one you want to send to but after searching the forums it seems somewhat common.
I understood the Trezor failure was hardware related. I assumed they would have released a newer chip by now that fixes the problem but I guess that isn't the case. Yeah if's a hardware level failure firmware usually can't shore up the problem like Specter and Meltdown issues with CPUs (relying on the OS to intercept those vulnerabilities).
I'll stick with my Ledger. Obviously a 4 digit pin can be bruteforced quite quickly. My Ledger says the device will wipe itself on 3 failed attempts of pin entry - so hopefully nobody has found a workaround for the Ledger Blue. I am assuming Trezor doesn't behave in this manner.