News Ledger Finds Vulnerabilities In Trezor Hardware Wallets

Ledger Finds Vulnerabilities In Trezor Hardware Wallets


- Advertisment -

Trezor’s late response shows the company has a lot of confidence in its customers. Unfortunately, it can’t really account for wealthy criminals.

Hardware wallet developer Ledger took to its blog on March 11 to outline five vulnerabilities the company claims to have found in two hardware wallet models from manufacturing competitor Trezor. The vulnerabilities were found by Attack Lab, a department at Ledger that hacks its own and competitors’ wallets to find any security issues in order to contribute to the “shared responsibility in guaranteeing a high level of security for the entire industry.”

According to the blog post, Ledger’s findings pertain to the Trezor One and the Trezor Model T, though the analysis heavily focused on the Trezor One. The post also clarifies that Trezor was notified about four months ago regarding the five vulnerabilities and were then given a “responsible disclosure period” to fix the vulnerabilities before Ledger published its analysis.

Ledger’s Findings

The first issue Ledger makes note of is the “genuineness” of the Trezor devices. In its post, the company claims to have been able to manufacture fake devices that were exact clones of the Trezor wallets. They were also able to open the box of a Trezor wallet, install malware that gives the attacker complete control over the code running on the device, and then reseal the box without breaking the tamper-proof sticker “aimed at protecting against such attacks.” Though all the vulnerabilities were reported to Trezor, this is the only one Ledger says Trezor responded to. Trezor argued that “users won’t be exposed to this issue if they purchase their products directly from the Trezor website.”

Next, Ledger says it was able to guess the wallet’s PIN using a side-channel attack that “consists of presenting a random PIN and then measuring the power consumption of the device when it compares the presented PIN with the actual value of the PIN.” The PIN gives users access to the device and the funds held within. The post does note that this vulnerability was patched out by Trezor in a firmware update. It is the only vulnerability Ledger indicates has been fixed.

The third and fourth vulnerabilities deal with an attacker’s physical access to the Trezor wallets. According to Ledger, with physical access, an attacker can extract all of the data stored on the wallet’s memory, and therefore gain control of the assets stored on the device. Ledger specifically notes that this vulnerability cannot be patched out and recommends users add a strong pass phrase to their device.

The last vulnerability outlined by Ledger has to do with the Trezor wallets’ scalar multiplication function. According to the post, scalar multiplication is the core function for signing transactions, meaning it deals with the user’s private key. Ledger found that the scalar multiplication function was vulnerable to a side-channel attack, making it possible to extract the key from the wallet.

Trezor’s Response

After seemingly meeting Ledger’s vulnerability report with a bit of awkward silence four months ago, Trezor published a post on Medium today, March 12, explaining that Ledger’s vulnerabilities are not critical to hardware wallets as they all require “physical access to the device, specialized equipment, time, and technical expertise.” Trezor goes on to state it has patched two of the vulnerabilities and found the scalar multiplication issue non-exploitable as the attacker would need the PIN. As for the claims made against the genuineness of the wallets, Trezor states there is “no 100% solution” to mitigate against this kind of attack.

Although Trezor’s post covers what it is doing or has done to prevent the security issues and thanks Ledger for demonstrating the possible weaknesses in its wallets, the company’s response as a whole is discombobulated. Trezor asserts in its post that perfect physical security is an unreachable goal, making note of the possibility of “$5 wrench attacks” – targeted thefts in which victims are forced to disclose their password. Trezor then asserts that with a strong pass phrase and an understanding of the company’s operational security principles, “even the physical attacks presented by Ledger cannot affect Trezor users.” However, Trezor then goes on to admit that if an attacker had enough time, money, and resources, “no hardware barriers will stand against their attacks.”

Nicholas Ruggieri studied English with an emphasis in creative writing at the University of Nevada, Reno. When he’s not quoting Vines at anyone who’s willing to listen, you’ll find him listening to too many podcasts, reading too many books, and crocheting too many sweaters for his dogs, RT and Peterman.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest Ledger, Trezor or other Ethereum wallets and exchanges news.

Source link


Please enter your comment!
Please enter your name here

Latest news

Make Fast and Secure Trades Using is a Cryptocurrency trading platform that allows users to buy and sell their Cryptocurrency in a...

Network Security Using Cryptography: Everything you need to know

This article will describe what is Network Security Using Cryptography and everything you need to know before...

Mercuriex Cryptocurrency Exchange Launches New Utility Token, SURF

MercuriEx Cryptocurrency Exchange, originally developed in 2017, came under new ownership in December 2019. Since taking over the exchange,...

Fungibility: Bitcoin Mixers Favorite Term That No One Understands

Fungibility, perhaps the most important concept when dealing with a decentralized and anonymous currency, but does bitcoin...
- Advertisement -Ledger Finds Vulnerabilities In Trezor Hardware Wallets

Crypto can’t thrive in the real world – but stablecoins can

We can safely say that the hype about cryptocurrencies is pretty much over. The claims of Bitcoin...

How to double your crypto

Most of us have a small gambler deep inside our souls. We love to feel the thrill...

Must read

Make Fast and Secure Trades Using is a Cryptocurrency trading platform that...
- Advertisement -Ledger Finds Vulnerabilities In Trezor Hardware WalletsLedger Finds Vulnerabilities In Trezor Hardware Wallets

You might also likeRELATED
Recommended to you