Ledger — the popular hardware wallet provider — publicly announced five different security vulnerabilities of its rival hardware wallet provider, Trezor, following research by its internal security department Attack Lab.
The release came after the responsible disclosure period and two extensions, according to Ledger.
Ledger vs. Trezor
Ledger and Trezor are the two leading hardware wallet providers for crypto assets and offer very similar services and security assurances based on their designs. However, they differ slightly in the hardware employed, specifically the chip used in their devices.
Ledger uses what’s known as a ‘Secure Element’ (SE) chip which is commonly used in SIM cards, passports, and payment cards. Trezor uses a MicroController Unit (MCU) that is integrated with common appliances like microwaves. The SE chip is considered more secure, and Ledger references how a malicious actor could imitate a Trezor One or Trezor T model cold storage wallet and bypass the ‘Tamper-Proof’ property of the device. According to the blog post:
“Our analysis found that the genuineness of a Trezor device can be imitated. We were able to manufacture fake devices which are exact clones of a genuine one (same components, same hardware architecture, same look & feel). We were also able to open the box of a device, backdoor the device and re-seal the box (even with the “tamper-proof sticker” aimed at protecting against such attacks).”
Ledger’s proposed solution is for Trezor to switch to the SE chip instead of the MCU chip.
The second vulnerability concerned PIN security on Trezor devices and was patched already by the company.
The third and fourth reported vulnerabilities center on extracting sensitive data from physical access to the Trezor devices. A malicious entity could extract all of the confidential data from the Trezor with physical device access and take control of all of the assets on the device — Ledger again recommends Trezor transition to an SE chip.
The final security vulnerability converns the crypto library of Trezor’s software for protection against Side Channel Attacks. According to Ledger:
“This vulnerability can be patched, but also does not directly affect Trezor’s security model since this operation cannot be triggered without knowing the device’s PIN beforehand. It was, however, claimed to be secure against side channel attacks, which unfortunately proved incorrect.”
Trezor is also immensely popular and has demonstrated they are very open to articulating ongoing security threats, vulnerabilities, and how they improve their cold wallet models. A response from Trezor is likely in the near future on their blog.
Ledger has also been targeted for security vulnerabilities from Wallet.fail in November 2018, who detailed attacks on the Ledger Nano S and Ledger Blue, although the company announced the vulnerabilities were not critical.