If you use your Trezor anywhere outside your home, whatever you do to unlock it (passwords, PIN, voiceprints, secret handshakes...) can be recorded and used by someone who later steals the device.
PIN - can't be logged, please search for the Trezor PIN matrix. By "recording" I do not mean just keylogging, but (e.g.) placing a hidden hi-res camera in the right spot.
Quote
passphrase - best practice when you need to use a public computer, just have a small spending amount without a passphrase
One may have to use a public computer for realtively large sums, e.g. pay a hotel bill or run a business remotely while on vacation in a remote place. Quote
security researchers that tested Trezor were a bit disappointed that they couldnt trick Trezor with buffer overflow
I did not mean bufer overflow explicitly (no programmer should make that mistake any more) but some other subtle bug that can be exploited to breach the security."It is easy to write correct software, you just have to remove all its bugs. And it is easy to remove all bugs, you just have to remove the last one."
Quote
Perhaps the designers left a secret backdoor
it's opensource, everybody can check and believe me they are doing that.. Quote
1. check the integrity of the package before you use the device
A criminal who sets out to physically hack a rich man's Trezor during delivery will surely be able to provide a neatly sealed package that will fool him. Quote
2. only buy it from official/trusted shops 3. the casing cannot be opened without damaging it so replacing internals won't be easy
Most devices will be bought via internet and delivered by UPS or the like. International purchases will be particularly risky since the packages may sit to weeks at customs and be opened by them.The Trezor's exterior is quite simple, so it seems relatively easy to make a fake one that looks and feels like the original. The copy can be swapped for the original, without the owner noticing, and can be designed to steal the PIN and/or passphrase and transmit it to the thief, e.g. by bluetooth. (This attack would be similar to the "chupa-cabra" that thieves attach to ATMs to steal card data and PINs).