Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets

Ledger’s Attack Lab has found five vulnerabilities in hardware wallets of its direct competitor Trezor.

Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11.

As of press time, Trezor was not immediately available to comment on Ledger’s findings.

The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended.

The first issue is related to the genuineness of the devices. According to the Ledger team, the Trezor device can be imitated by backdooring the device with malware and then re-sealing it in its box by faking a tamper-proof sticker, which is reportedly easy to remove. Ledger states that this vulnerability can only be tackled by overhauling the design of the Trezor wallets and, in particular, by replacing one of the core components with a Secure Element chip.

Secondly, Ledger hackers reportedly guessed the value of the PIN on a Trezor wallet using a side-channel attack and reported it to Trezor in late November 2018. The company later solved the issue in its firmware update 1.8.0.

The third and fourth vulnerabilities, which Ledger also offers to solve by replacing the core component with a Secure Element chip, consist of the possibility of stealing confidential data from the device. Ledger states that an attacker with physical access to Trezor One and Trezor T can extract all the data from the flash memory and gain control over the assets stored on the device.

The last weakness discovered is also related to Trezor’s security model: according to Ledger, the crypto library of the Trezor One does not contain proper countermeasures against hardware attacks. The team claims that a hacker with physical access to the device can extract the secret key via a side-channel attack, although Trezor has claimed that its wallets are resistant to it.

In November 2018, Trezor itself warned that an unknown third party was distributing one-to-one copies of its flagship Trezor One device. The fake wallets seemed to originate from China, and the company thus urged owners to buy wallets only from Trezor’s website.

However, in the recent report, Ledger claims that users cannot be sure even when they purchase hardware from the official Trezor website. The attacker could possibly buy several devices, backdoor them, and then send them back to the manufacturer asking for reimbursement. In case the compromised device is sold again, the user’s crypto funds can be stolen, Ledger concludes.

In November 2018, the research team behind the so-dubbed Wallet.fail hacking project demonstrated how they hacked the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. Both Trezor and Ledger than admitted to the found vulnerabilities — with Trezor noting that a firmware update would address them — but Ledger also added that they were not critical for its wallets.

COMMENTS

By Readers$type=blogging$cate=2$count=6

Name

Analysis,498,News,2975,Press Releases,338,Sponsored,137,
ltr
item
CryptoNomus: Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets
Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets
https://images.cointelegraph.com/images/528_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS9zdG9yYWdlL3VwbG9hZHMvdmlldy9hYWU0OGE0YjU2MGY5ZjBjMDVkNWNjZWY5OTE5MDViYS5qcGc=.jpg
CryptoNomus
https://www.cryptonom.us/2019/03/ledger-discloses-five-reported.html
https://www.cryptonom.us/
https://www.cryptonom.us/
https://www.cryptonom.us/2019/03/ledger-discloses-five-reported.html
true
4884201149675661183
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy