Ledger Helps Trezor Fix Security Vulnerability

Hardware wallet vendor Ledger has demonstrated to Trezor that it can bypass security controls on the Trezor Safe 3 and 5 models, prompting Trezor to fix the vulnerability.

Hardware wallet vendor Trezor has fixed a security vulnerability in two of its latest models after Ledger's open-source research unit discovered a flaw in its microcontrollers.

Ledger Donjon acknowledged that Trezor has made several security improvements recently, but noted that cryptographic operations can still be performed on the microcontroller in the Trezor Safe 3 and 5 models, making them 'vulnerable to more sophisticated attacks'.

Unfortunately, Trezor has already patched the discovered vulnerabilities, Ledger CTO Charles Guillemet said in a 12 March post.

"We believe that improving the security of the ecosystem is beneficial for everyone and essential to encourage greater adoption of cryptocurrencies and digital assets," Guillemet added.

Trezor has already implemented 'Secure Elements' chips designed to protect user PIN and cryptographic secrets, as some Trezor devices could be hacked by modifying the software they run on, potentially allowing attackers to steal users' funds.

The Secure Elements feature "effectively prevents any low-cost hardware attacks, particularly power failures," Ledger said in a 12 March announcement.

"This ensures users the security of their funds even if the device is lost or stolen." However, Ledger discovered another potential attack vector coming from the microcontroller, the other core element of the dual-chip design of Trezor's Safe 3 and 5 models.

Trezor Resolves Firmware Integrity & Check Vulnerability

Trezor implemented a firmware integrity check to detect tampered software, but Ledger was able to demonstrate that an attacker could still bypass this security check.

Since then, Trezor has fixed the problem, although neither Ledger nor Trezor has explained how.

Trezor confirmed on X that users' funds remain safe, and that no action is needed.

However, when asked if Trezor had been able to correct the problem with a firmware update, the hardware wallet vendor replied: "Unfortunately not.

"In cybersecurity, the golden rule is simple: nothing is completely invulnerable. This is why we have already implemented multi-layered protection against supply chain attacks and always advise our users to buy from official sources."

In December 2023, a hacker compromised Ledger's connector library and stole cryptocurrencies worth $484,000.

Another attacker, who hacked Ledger's systems, published the email addresses of approximately 270,000 Ledger customers in June 2020.

Although Trezor has patched the latest security vulnerabilities identified by Ledger, concerns remain over potential attack vectors through the microcontroller.

Both companies emphasise the importance of continuous security improvements and multi-layered protection to protect users' funds. Despite past breaches that have affected the cryptocurrency hardware wallet industry, Trezor reassures users that their funds remain safe, with no immediate action required.