We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show (non-) personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Техническое хранение или доступ необходимы для законной цели хранения предпочтений, которые не запрошены подписчиком или пользователем.
The technical storage or access that is used exclusively for statistical purposes.
Техническое хранилище или доступ, который используется исключительно для анонимных статистических целей. Без повестки в суд, добровольного согласия со стороны вашего интернет-провайдера или дополнительных записей от третьей стороны информация, хранящаяся или полученная только для этой цели, обычно не может быть использована для вашей идентификации.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Firmware Update for a Hardware Wallet: When to Update and When to Wait
A hardware wallet firmware update often feels like a minor thing: people buy a hardware wallet so it can sit in a drawer and not cause problems. Most of the time, that is exactly what happens — until the app suddenly says that a firmware update is available. That is where users tend to split into two equally risky camps: some stay on firmware with documented vulnerabilities for years because “it still works,” while others panic at every email about an “urgent update,” click the link, download a fake app, and hand their seed phrase to scammers themselves.
Let’s look at how the update mechanism works internally, what happens to your seed if the device freezes halfway through, which vulnerabilities from the last two years vendors fixed specifically through firmware, and why fake updates steal far more money than actual technical exploits. At the end, we’ll give you a practical rule set: when to update immediately, when to wait two weeks, and when you can leave the device untouched for months.
What firmware is and what it controls
Firmware is the operating system of your wallet, written into its chip. It does everything the device was bought for: it generates cryptographic randomness and the seed itself, stores keys in a protected area, parses a transaction and shows its details on the screen, then signs it after your confirmation. A hardware wallet is a small computer, and firmware controls everything inside it.
The main consequence is simple: if malicious firmware is running on the device, no Secure Element will save you. The secure chip is only an executor; it does what the code tells it to do. So the question of which firmware is installed on your wallet and where it came from is really a question of who controls your money.
That is also why firmware updates are a double-edged tool. They are the only channel through which a vendor can deliver fixes for discovered vulnerabilities. At the same time, they are also the only channel through which something unwanted could theoretically reach the device. This article is about how to benefit from the first part without getting caught by the second.
How a hardware wallet firmware update works internally
Every hardware wallet has a bootloader: a small, unchangeable piece of code that runs first and decides whether new firmware can be installed. It makes that decision in a straightforward way: it verifies the file’s cryptographic signature. The vendor signs every release with its private key, while the public key used for verification is embedded into the device at the factory. A file without a valid signature will be rejected by the device under any circumstances.
This is the baseline level of protection. Serious manufacturers differ mainly in the details:
A separate mechanism is anti-rollback, protection against downgrades. The device stores the minimum allowed version and refuses to install anything older. The reason is simple: if version N fixed a vulnerability, an attacker may try to persuade you to “go back to the stable old version,” where the hole is still open. Jade enabled this protection in firmware 1.0.38 in November 2025, right after a real vulnerability case.
What happens to the seed during an update
The short answer: nothing. The seed is stored in a protected area of memory that a normal update does not touch. After the new version is installed, the wallet continues to work with the same addresses and balances.
The longer answer: nothing, as long as everything goes normally. If you unplug the cable midway through, lose power, or hit an app glitch, the device may reset to factory state. That is inconvenient, but not catastrophic: your coins are not “inside the device,” they are on the blockchain. The device is only the key holder. Restore the wallet from the seed phrase and continue. It becomes truly dangerous in exactly one situation: when there is no seed backup, or the backup was written down incorrectly. In that case, a failed update really can turn into a loss of funds.
Why you should update: what vendors patched in 2025-2026
Security researchers usually work under responsible disclosure: find a vulnerability, privately report it to the vendor, give them time to fix it, usually around 90 days, and then publish the details. That means that when a security patch is released, the vulnerability itself becomes public. From that day on, old firmware is no longer a “time-tested version”; it becomes a documented target with published instructions.
Blockstream Jade, November 2025. The DARKNAVY research team found a buffer overflow in the message handling between the app and the device: the RPC command register_descriptor, which had been present since firmware 1.0.24. Malicious software on your computer or smartphone could use this hole to crash a connected Jade or achieve limited code execution. Blockstream confirmed the issue within 24 hours, released a fix in version 1.0.37 three weeks after the report, and then followed with 1.0.38 with anti-rollback enabled so phishers could not persuade users to downgrade to a vulnerable version. No exploitation in the wild was found. This is a textbook example: the bug existed across more than a dozen firmware versions, and there was only one way to close it — update.
Trezor Safe 3, March 2025. Ledger Donjon, Ledger’s research team, demonstrated an attack on the TRZ32F429 microcontroller in Trezor Safe 3 using voltage glitching, meaning carefully timed power manipulation of the chip. An attacker with physical access to the device could reflash it in a way that Trezor Suite would still treat the wallet as genuine: the modified firmware passed integrity checks. The main scenario here is supply chain: a device is intercepted between the warehouse and the buyer, modified, and sold as new. The attack is complex and does not scale easily. Trezor strengthened integrity checks, although the underlying flaw sits in the microcontroller hardware and cannot be fully closed by firmware alone. Safe 5 was not affected: it uses the newer STM32U5, which is more resistant to this type of manipulation.
Trezor Safe 7, June 2026. The same Donjon team bypassed firmware signature verification on the TROPIC01 chip in the new Trezor Safe 7 under lab conditions, using a precisely calibrated laser to introduce faults into the verification process. Users’ keys and funds were not affected: they are not stored on this chip, and Safe 7’s architecture splits secrets across three independent layers. But the important detail is this: the immediate mitigation is available through a firmware update, which closes the main entry point for the attack. Tropic Square promises a hardware revision of the chip by the end of 2026, while the firmware protects users now.
For context, there is also the classic case from 2018: researcher Saleem Rashid demonstrated a firmware replacement attack on Ledger Nano S, and Ledger closed the vulnerability in version 1.4.1. The pattern has not changed since then: vulnerabilities are found regularly, and vendors deliver fixes through one transport only. A device that is never updated is preserved together with all of its bugs, and the list of those bugs becomes longer and more public every year.
Why you should not update on release day
Now for the other side of the argument, which is also backed by a real story. The key case is Ledger Recover, the loudest hardware wallet controversy of recent years.
In May 2023, Ledger released firmware 2.2.1 for Nano X with an optional Recover service: for $9.99 per month, the device encrypts your seed phrase, splits it into three fragments, and sends them for storage to three companies: Ledger, Coincover, and EscrowTech. Recovery is done through identity verification with documents. The service is voluntary, disabled by default, and nobody was forced to use it.
The controversy erupted because the existence of the service proved that Ledger firmware can technically extract seed phrase material from the Secure Element and send it outside the device. In November 2022, Ledger’s official account had told users that a firmware update could not extract the seed from the secure chip. After the Recover release, the company’s support account posted a tweet that was later deleted: technically, it had always been possible to write firmware that extracts keys. The community reacted predictably, and Ledger is still rebuilding trust.
The lesson is bigger than one brand: an update can change the device’s trust model itself. The changelog may say “stability improvements and new features,” while in practice the device gains capabilities you only learn about from the news. Waiting one or two weeks after a feature release gives the community time to uncover such things before they land on your own device.
The second, more practical argument is ordinary bugs. New integrations, new networks, rewritten interfaces — all of this gets tested on early users. If the release notes do not contain words like security or vulnerability, you lose nothing by waiting. The rule is simple: install security fixes immediately; give feature releases a pause.
Fake updates steal more than vulnerabilities
All the vulnerabilities described above combined have not stolen as much money as plain fake updates. Breaking a secure chip is expensive and difficult; convincing a person to hand over their seed phrase is cheap and scales very well.
September 2025, Blockstream Jade. Jade owners began receiving emails pretending to be from Blockstream: an urgent firmware update was available, here is the file, install it. The emails looked convincing, with version numbers and branded styling. Bitcoin developer Jimmy Song was the first to raise the alarm, and Blockstream confirmed that the company never sends firmware by email. Real updates live only on the official website and GitHub. Installing such an “update” would mean handing the wallet to attackers; Blockstream confirmed that no device was affected, mostly because the warning came quickly.
November 2023, fake Ledger Live in Microsoft Store. An app called Ledger Live Web3 stayed in Microsoft’s official store for almost three weeks. Visually, it copied the real Ledger Live. It asked users to enter their 24-word seed phrase “to restore access.” Investigator ZachXBT raised the alarm on November 5, and Microsoft removed the app the same day, but victims had already lost around $768,000 by then. One story from that case: a user reinstalled Windows, went to Microsoft Store out of habit, downloaded “Ledger Live,” entered the seed, and lost $26.5 thousand in savings within minutes.
April 2026, fake Ledger in Apple App Store. Same scheme, new store, larger scale. The fake app passed Apple’s review and, in one week from April 7 to April 13, drained at least $9.5 million from more than 50 victims across Bitcoin, Ethereum, Solana, Tron, and XRP. The mechanics were identical: during “setup,” the app asked for 24 words. The largest single theft was $3.23 million in USDT in one day.
Notice the common thread across all three cases: nobody broke into the devices. The bootloader, firmware signatures, and Secure Element all worked exactly as designed, and none of it helped because the attack was aimed at the person, not the hardware. Three rules close this attack vector:
Dark Skippy: what malicious firmware does if it reaches the device
The stakes are best illustrated by one of the most elegant attacks published in recent years. In August 2024, researchers Lloyd Fournier and Nick Farrow from Frostsnap, together with Robin Linus, the creator of BitVM, published the Dark Skippy technique.
Here is the mechanism. When a wallet signs a transaction, it generates a nonce, a one-time random number that is critical to the security of the signature. Malicious firmware replaces that random nonce with pieces of your seed: the first transaction carries the first half, the second carries the second half. Signatures are public and live on the blockchain. The attacker scans the network, finds the marked signatures, and uses Pollard’s Kangaroo algorithm to recover the nonce from them, then the full seed from the nonce. Two ordinary signatures are enough for an attacker to gain full access to your wallet.
The worst properties are these: the device leaves no visible trace, the transactions look normal, and the attack works even if the seed was generated on a different, clean device. It is enough to sign something once with the compromised wallet. Earlier techniques in this class required dozens of transactions; Dark Skippy needs two. The attack has not been observed in the wild, but it changed the risk model: one malicious firmware build can mean a quiet loss of everything.
The industry response goes in two directions. The first is the familiar one: secure boot and firmware signatures that prevent foreign code from reaching the device. The second is more interesting: anti-exfil protocols. BitBox02 calls this anti-klepto; Jade has a similar mechanism. The idea is that the nonce is generated jointly by the device and the computer app, so the wallet cannot secretly encode anything into the signature by itself. If you are choosing a device for serious amounts, anti-exfil deserves its own line in the checklist.
The practical lesson from Dark Skippy is that the firmware source matters more than the firmware version. Old official firmware is a managed risk; fresh unofficial firmware is almost a guaranteed loss of funds.
The correct update process, step by step
Now let’s turn all of this into a practical workflow. It is the same for any vendor; only the app names differ.
When to update, when to wait, and when to leave it alone
Here is a quick reference for the most common situations:
A few words about the opposite philosophy: Tangem with immutable firmware. The code is written into the chip at the factory and can never be changed again by anyone: not by you, not by the vendor, and not by an attacker. The entire vector of malicious and fake updates disappears as a category. There is simply nothing to update, so Tangem owners do not face the question of whether to press the button. The price of that calm is also clear: if a vulnerability is ever found in the firmware, it cannot be patched; the only solution is replacing the device. It is just a different distribution of risk: Tangem removes the update-channel risk and accepts the risk of unpatchable bugs, while Ledger and Trezor do the opposite. Understanding this trade-off is more useful than believing either side’s marketing.
Conclusion
If we compress the whole article into one observation, it is this: in two years of major firmware-related stories, people did not lose money because they updated too early or too late. Jade owners in November 2025 were saved by the update itself: Blockstream closed the hole in three weeks, and the issue disappeared. The $9.5 million stolen through a fake App Store app in April 2026 was stolen without any device vulnerability at all: people downloaded the fake app themselves and typed their seed into it.
So the answer to the title question is simple. If a release fixes a vulnerability, update immediately: once the patch is public, the bug is no longer secret, and old firmware becomes a target with instructions attached. If a release adds new features, wait a week or two. Ledger Recover taught everyone to read changelogs skeptically: behind “stability improvements” there may be a feature that news sites will discuss for months, and it is better if someone else notices it first. For a long-term storage wallet, update in advance before planned use, so a possible failure does not interfere with an urgent transfer.
The source of the firmware matters more than any schedule. Dark Skippy showed that malicious firmware needs only two signed transactions to leak the entire seed quietly. As soon as a file or app comes from anywhere other than the vendor’s official website, version number and freshness stop mattering. It should not be installed at all, no matter how convincing the app store page looks.
The rest comes down to two habits. Check your seed backup before updating while it is still a five-minute routine: after a failure, it becomes the only thread back to your funds. And never enter your seed phrase into a computer or smartphone. A real update does not need it, and every window that asks for it was built to steal it.
We have followed this routine ourselves for years: work devices are updated within the first week after a security release, feature releases get a pause, and before every update we take out the backup even when we are tired and “everything is definitely fine.” Over the years, that routine has not given us a single dramatic story for an article — and that is the best possible outcome.
Related Posts
What Is Shamir Backup and SLIP39?
Welcome! In this article, we will explain how Shamir Backup works. We will look at why it is one of the best ways to protect your crypto investments, compare the SLIP39 and BIP39 standards, and answer the question: “How can you protect your cryptocurrency from theft and sleep better at night?” I will try to …
What Is a Mnemonic Phrase? BIP39 Word List
What is a mnemonic phrase? This is a question our customers often ask us. Let’s figure it out. A mnemonic phrase is a group of words that provides access to your assets and serves as a backup for your crypto wallet. It is also often called a seed phrase or BIP39 phrase. A phrase can …
Best private messengers with end-to-end encryption. Top apps in 2026
The best private messengers 2026 protect conversations with end-to-end encryption, but not every popular app is genuinely private. Many services store messages on a server in plaintext: the company that owns the service can read them, hand them over under a warrant, or lose them in a data breach. Private messengers do not. There is …
How to Store a Seed Phrase: 5 Safe Methods in 2026
A seed phrase is not just a set of words. It is the single key to everything you own in crypto. To every coin protected by that phrase. If you lose it — there is almost no chance of getting access back.There are white hat hackers who recover access to lost wallets — there are …