The French company, Ledger, like any other cyber-security company, tests out its products to ensure they are robust and resolute against potential hacks. However, the wallet manufacturer also tests out its competitor’s products, not simply to lambast their flaws, but also to compare Ledger’s protection capabilities against their peers.
Guillmet referred to four Trezor devices as “completely broken.” The devices in question were the Trezor One, Trezor T, Keepkey, and B Wallet, which pose such severe security flaws that there is no way to fix them, according to Ledger. In reference to their chief security officer’s statements, Ledger published an article detailing the drawbacks of its competitor.
In the report titled “Our Shared Security: Responsibly Disclosing Competitor Vulnerabilities,” the hardware wallet manufacturer stated that their responsibility to provide security services extended to their entire blockchain ecosystem.
Hence, due to this “shared commitment,” Ledger took the extra step to ensure that their competitor’s wallets can withstand hacks.
Ledger Donjon, the wallet manufacturer’s security team, has an Attack Lab in Paris, where regular defense checks are performed against their own products and that of their competitors.
The report added,
“Critically, when addressing the security of competing products, we always follow the principles of responsible disclosure, informing the impacted party of any vulnerability of their products that our Attack Lab might find, and giving them time to find a fix.”
Four months ago, the Attack Lab discovered five key vulnerabilities in Trezor’s products. The company was contacted and informed about the same. Despite allowing them the “responsible disclosure period” to fix these exploits and providing two extensions, Ledger decided to go public with their findings.
The first vulnerability revealed that the genuineness of the device can be imitated. Exact clones of the original Trezor wallet can be made, allowing hackers to tamper with the device and gain control over the code running on the device. Hackers can potentially insert “cryptographic flaws” and insert malware from the device’s back door.
When contacted by Ledger, Trezor stated that the flaw was out of their model and that users will not suffer the potential hack if the wallets were purchased directly from the Trezor website. However, Ledger had a different perspective,
“In our view, this vulnerability can only be patched by overhauling the design of the Trezor One, and replacing one of its core components to incorporate a Secure Element chip, as opposed to the general purpose chip currently used.”
The second vulnerability was with the PIN of the device. Ledger found that on a stolen or found device, the PIN can be guessed using a Side Channel Attack by measuring the power consumption when a PIN is entered compared to the actual PIN. The report stated,
“We found that the PIN does not protect the funds against an attacker with a physical access to the device.”
In their firmware update 1.8.0, Trezor informed Ledger that the vulnerability was rectified.
The third and fourth vulnerabilities pertained to the anonymity of the data within the device. An attacker with physical access to the Trezor One and Trezor T wallet can remove and potentially delete all the data within the device’s flash memory.
Ledger further revealed that this vulnerability cannot be fixed and that the technical details regarding this would not be mentioned by the wallet manufacturer. However, a stronger passphrase used by the users can be a possible solution.
The fifth and final vulnerability pointed to the ease with which a hacker, with physical access to the device, can use Side Channel Attacks to extract the secret key. The device is prone to this attack during Scalar Multiplication when transactions are being signed. However, to successfully trigger this attack, the device’s PIN needs to be known by the hacker.
Ledger also presented a summary status of the attacks and the severity of the same,