Sunday, June 16, 2019

Ledger Reveals Five Vulnerabilities Of Its Rival; The Trezor Hardware Wallet

Crypto Hardware manufacturer, Ledger revealed five vulnerabilities of its rival’s product. This was revealed in a report published on March 11.

Vulnerabilities Of Trezor’s Hardware Wallets

Ledger noted in the report that the vulnerabilities were discovered by Attack Labs, a department of Ledger that hacks its device as well as competitors’ devices to improve security. Trezor has been addressed repeatedly on the weaknesses in their Trezor One, and Trezor T wallets by ledger before the decision of public disclosure was reached as claimed. At press time Trezor was not available to comment on ledger’s findings.

One of the vulnerabilities is the genuineness of the device. Ledger team noted that the Trezor’s device could be imitated by backdooring the device with malware and then resealing it in its box by faking a tamper-proof sticker, which is reportedly easy to remove. According to Ledger, the vulnerability can only be addressed by overhauling the design of the Trezor wallets and replacing one of the core components with a secure element chip.

The second vulnerability noted is the guessing of the value of the PIN on a Trezor wallet using the side-channel attack. Ledger stated that this was reported to Trezor in late November 2018 which was later solved in the firmware update 1.8.0.

The third and fourth vulnerabilities entail the possibility of stealing confidential data from the device. Ledger noted that an attacker with physical access to Trezor One and Trezor T could extract all the data from the flash memory and have control over the assets stored on the device. Ledger offers to solve this by replacing the core component with a Secure Element chip.

Lastly, the fifth vulnerability of Trezor’s wallet that was revealed is related to the security model. Ledger stated that the crypto library of the Trezor One does not contain proper countermeasures against hardware attacks. This means that a hacker with physical access to the wallet can extract the secret key via a side-channel attack.

Open Source Is No Silver Bullet

Recently, CEO of Twitter, Jack Dorsey purchased Trezor wallet for Bitcoin storage. When asked the reason for the choice, he stated that he chose Trezor because of its open source infrastructure. In response to this, Ledger stated that “The security model of hardware is quite complex, and offering open source firmware isn’t a silver bullet.”

Apparently, the vulnerabilities had made Ledger state that. However, the crypto space still awaits the response from the Trezor team.

Enjoyed this article?
Subscribe to our mailing list and receive the hottest news directly to your inbox!

More Articles