diff --git a/legacy/firmware/.changelog.d/noissue.security b/legacy/firmware/.changelog.d/noissue.security
new file mode 100644
index 0000000000..9e933c3644
--- /dev/null
+++ b/legacy/firmware/.changelog.d/noissue.security
@@ -0,0 +1 @@
+Don't show addresses that have an unrecognized path.
diff --git a/legacy/firmware/crypto.c b/legacy/firmware/crypto.c
index d0d6f1e417..dfb1a3533c 100644
--- a/legacy/firmware/crypto.c
+++ b/legacy/firmware/crypto.c
@@ -540,6 +540,14 @@ static bool check_cointype(const CoinInfo *coin, uint32_t slip44, bool full) {
 bool coin_known_path_check(const CoinInfo *coin, InputScriptType script_type,
                            uint32_t address_n_count, const uint32_t *address_n,
                            bool full) {
+  // If full == true, this function checks that the path is a recognized path
+  // for the given coin. Used by GetAddress to prevent ransom attacks where a
+  // user could be coerced to use an address with an unenumerable path.
+  // If full == false, this function checks that a coin without strong replay
+  // protection doesn't access paths that are known to be used by another coin.
+  // Used by SignTx to ensure that a user cannot be coerced into signing a
+  // testnet transaction or a Litecoin transaction which in fact spends Bitcoin.
+
   bool valid = true;
   // m/44' : BIP44 Legacy
   // m / purpose' / coin_type' / account' / change / address_index
@@ -740,6 +748,6 @@ bool coin_known_path_check(const CoinInfo *coin, InputScriptType script_type,
     return valid;
   }
 
-  // we don't check unknown paths
-  return true;
+  // we allow unknown paths when a full check is not required
+  return !full;
 }
diff --git a/tests/device_tests/test_msg_getaddress_show.py b/tests/device_tests/test_msg_getaddress_show.py
index a378622fb8..7d263bfe5a 100644
--- a/tests/device_tests/test_msg_getaddress_show.py
+++ b/tests/device_tests/test_msg_getaddress_show.py
@@ -17,6 +17,7 @@
 import pytest
 
 from trezorlib import btc, messages, tools
+from trezorlib.exceptions import TrezorFailure
 
 VECTORS = (  # path, script_type, address
     (
@@ -51,6 +52,17 @@ def test_show(client, path, script_type, address):
     )
 
 
+def test_show_unrecognized_path(client):
+    with pytest.raises(TrezorFailure):
+        btc.get_address(
+            client,
+            "Bitcoin",
+            tools.parse_path("m/24684621h/516582h/5156h/21/856"),
+            script_type=messages.InputScriptType.SPENDWITNESS,
+            show_display=True,
+        )
+
+
 @pytest.mark.multisig
 def test_show_multisig_3(client):
     node = btc.get_public_node(