Trezor Labs Switches Software License Amid Controversy

Over the last few days, you’ve probably heard something about a kerfuffle regarding the Trezor line of hardware wallets. In a nutshell, here’s what happened:

Hardware wallets like the Trezor are one solution to the security problems created by malware. They work maintaining a walled garden of trusted hardware and software that’s too simple and restricted for attackers to get a foothold on. The thinking is that if the device does only one thing, it’ll be easier to get it to do that one thing reliably and securely.

For a while now, all of the software that runs on the Trezor has been GPL-licensed, which means that it’s available for anyone to read, copy, or edit. This is good for users, because it means that the software can be vetted by other programmers (and, potentially, even patched or forked if the developers fail to respond to issues in a timely manner).

The flip side of this, however, is that it also means that it’s relatively easy for competitors to make exact duplicates of the hardware and begin selling cheaper versions – which is exactly what happened, and kicked off the whole fiasco. Specifically, a Chinese company called bwallet began manufacturing a Trezor clone at about a quarter of the price of a Trezor (though possibly with some added spyware). The Trezor developers’ response to this has been less than stellar – they’ve switched to using a much more restrictive license, and back-dated their Git repository (a way to store various versions of a piece of code online) to make it look as though the change is older than it is.

There are a few subtleties here: First off, the new license does allow the code to be freely distributed, so some of the security benefits still hold. That said, it doesn’t allow modifications of the code, which requires a fair degree of trust in the developers to stay up to date on patches – if you notice a bug and the developers won’t do anything about it, you literally aren’t allowed to fix it yourself. It’s also worth noting that since free software licenses can’t be revoked (and IP laws of any kind are much harder to enforce in China), it’s unlikely that the sudden change will do much to discourage third-party Trezor clones from cropping up, so the decision to switch licenses doesn’t have the character of a sober business decision, so much as a panicky reaction.

It remains to be seen exactly how the whole Trezor debacle will resolve itself. It seems likely, if the company can recover from this thanks to PR, that they can still succeed in the market as a hardware wallet that you don’t have to pick over with a fine-tooth comb for backdoors. A reputation, in security-critical applications like hardware wallets, is not a cheap thing. It’s not clear that a low-cost software wallet is actually a better idea if it’s not backed by a credible reputation. In the mean time, there are a few other interesting hardware wallet options on the horizon — including CoolWallet, which just came out with an intriguing demo video. Either way, until we can put more faith in our mobile and desktop operating systems, hardware wallets are an important concept, and one that’s here to stay.