Also I fail to see what's the risk for the manufacturer if someone starts selling what is essentially a counterfeit version of the device. This would be like blaming an original SD card manufacturer when you get a fake chinese SD clone.
If you buy fake merchandise, your loss is usually limited to the article. Someone who buys a fake malicious Trezor may lose millions. The victims will be much more motivated to get their money back, and SatoshiLabs will be the only target they can sue. The victims will argue that SL is responsible because they did not warn people about the risk of buying Trezors from resellers.
For the same reason, I hope that SL is taking adequate measures to physically secure their storage and shipping operations. How much would it take to convince an employee to switch some Trezors before shipping?
A knockoff requires some serious dedication and isnt even a remote concern if you just buy directly from buytrezor.com
Exactly.
far more likely:
1) printers with custom firmware to recognise bitcoin addresses/QR codes when printing, and push that data to a server
2) casascius or any other coins being opened up with precision and solvents, private key copied, then sealed shut again for resales. Or even the creator keeping a copy of all private keys
3) an android/windows/ios/ANY wallet software that was downloaded from the wrong site or updated to a malicious version
4) a webwallet that is hacked or otherwise steals privkey data.
5) virus or malware that seeks and steals any wallet info, or even QR codes from your print/documents history, and pulls the funds out.
Yes, all of that too, and more....
someone creating an exact replica of the trezor and its (quality) box that its shipped in, plus valid serial numbers, plus making it match the MD5 hash..... you are pulling at straws.
You have heard of fake ATMs, right?
IMO the trezor is 100% the safest option right now outside of operating an isolated offline system with an offline printer, using it to sign txs, copying the signed tx to a USB, then sending the signed transactions from an online system
The Trezor may be even safer than an off-line computer (if malware gets installed in that computer, it may be able to do a weak-key attack, or leak the private key in the signed transaction.) Basically, the Trezor is an offline computer that is dedicated to a few bitcoin-related tasks and therefore is more difficult to compromise. Trezor is certainly much safer than that competition hardware wallet without display.
But owners must be aware that it is still far from 100% safe.