The Trezor is one of the most popular bitcoin wallets. But the entire security relies on the result of a single call to MIN(), and if we can corrupt that comparison that MIN() performs the recovery seed can be dumped. This talk demonstrates how such an attack is possible without removing the enclosure of the wallet, leaving no sign of tampering. A successful attack would allow someone to effectively "clone" the wallet, such that the attacker leaves no trace of the attack, but could later withdraw bitcoins once the balance was sufficiently high to be interesting to the attacker. Countermeasures (which have since been implemented before this public talk) will also be discussed.
