Ledger reported a vulnerability in the Safe 3 and 5 models to Trezor. Trezor has already released a patch to resolve the security issue.
Hardware wallet vendor Ledger has demonstrated to Trezor that it can bypass security controls on the Trezor Safe 3 and 5 models, prompting Trezor to fix the vulnerability.
Hardware wallet vendor Trezor has fixed a security vulnerability in two of its latest models after Ledger's open-source research unit discovered a flaw in its microcontrollers.
Ledger Donjon acknowledged that Trezor has made several security improvements recently, but noted that cryptographic operations can still be performed on the microcontroller in the Trezor Safe 3 and 5 models, making them 'vulnerable to more sophisticated attacks'.
Unfortunately, Trezor has already patched the discovered vulnerabilities, Ledger CTO Charles Guillemet said in a 12 March post.
At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security research.
We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here's a thread on our findings:🧵 pic.twitter.com/CORDOQWRYg
"We believe that improving the security of the ecosystem is beneficial for everyone and essential to encourage greater adoption of cryptocurrencies and digital assets," Guillemet added.
Trezor has already implemented 'Secure Elements' chips designed to protect user PIN and cryptographic secrets, as some Trezor devices could be hacked by modifying the software they run on, potentially allowing attackers to steal users' funds.
The Secure Elements feature "effectively prevents any low-cost hardware attacks, particularly power failures," Ledger said in a 12 March announcement.
"This ensures users the security of their funds even if the device is lost or stolen." However, Ledger discovered another potential attack vector coming from the microcontroller, the other core element of the dual-chip design of Trezor's Safe 3 and 5 models.
Trezor implemented a firmware integrity check to detect tampered software, but Ledger was able to demonstrate that an attacker could still bypass this security check.
Since then, Trezor has fixed the problem, although neither Ledger nor Trezor has explained how.
Trezor confirmed on X that users' funds remain safe, and that no action is needed.
Hi, your funds remain safe, and you need not take any action. Ledger Donjon reused a previously known attack to bypass some of our countermeasures against supply chain attacks in Trezor Safe 3. Nevertheless, users who purchase from official sources are fully secure🔒
However, when asked if Trezor had been able to correct the problem with a firmware update, the hardware wallet vendor replied: "Unfortunately not.
"In cybersecurity, the golden rule is simple: nothing is completely invulnerable. This is why we have already implemented multi-layered protection against supply chain attacks and always advise our users to buy from official sources."
In December 2023, a hacker compromised Ledger's connector library and stole cryptocurrencies worth $484,000.
Another attacker, who hacked Ledger's systems, published the email addresses of approximately 270,000 Ledger customers in June 2020.
Although Trezor has patched the latest security vulnerabilities identified by Ledger, concerns remain over potential attack vectors through the microcontroller.
Both companies emphasise the importance of continuous security improvements and multi-layered protection to protect users' funds. Despite past breaches that have affected the cryptocurrency hardware wallet industry, Trezor reassures users that their funds remain safe, with no immediate action required.
MGX, Abu Dhabi's sovereign wealth fund, invested $2 billion in Binance, marking the largest institutional investment in the cryptocurrency sector to date.
Hardware wallet vendor Ledger has demonstrated to Trezor that it can bypass security controls on the Trezor Safe 3 and 5 models, prompting Trezor to fix the vulnerability.
Hardware wallet vendor Trezor has fixed a security vulnerability in two of its latest models after Ledger's open-source research unit discovered a flaw in its microcontrollers.
Ledger Donjon acknowledged that Trezor has made several security improvements recently, but noted that cryptographic operations can still be performed on the microcontroller in the Trezor Safe 3 and 5 models, making them 'vulnerable to more sophisticated attacks'.
Unfortunately, Trezor has already patched the discovered vulnerabilities, Ledger CTO Charles Guillemet said in a 12 March post.
X
Trezor has already implemented 'Secure Elements' chips designed to protect user PIN and cryptographic secrets, as some Trezor devices could be hacked by modifying the software they run on, potentially allowing attackers to steal users' funds.
The Secure Elements feature "effectively prevents any low-cost hardware attacks, particularly power failures," Ledger said in a 12 March announcement.
Trezor Resolves Firmware Integrity & Check Vulnerability
Trezor implemented a firmware integrity check to detect tampered software, but Ledger was able to demonstrate that an attacker could still bypass this security check.
Since then, Trezor has fixed the problem, although neither Ledger nor Trezor has explained how.
Trezor confirmed on X that users' funds remain safe, and that no action is needed.
X
However, when asked if Trezor had been able to correct the problem with a firmware update, the hardware wallet vendor replied: "Unfortunately not.
In December 2023, a hacker compromised Ledger's connector library and stole cryptocurrencies worth $484,000.
Another attacker, who hacked Ledger's systems, published the email addresses of approximately 270,000 Ledger customers in June 2020.
Although Trezor has patched the latest security vulnerabilities identified by Ledger, concerns remain over potential attack vectors through the microcontroller.
Both companies emphasise the importance of continuous security improvements and multi-layered protection to protect users' funds. Despite past breaches that have affected the cryptocurrency hardware wallet industry, Trezor reassures users that their funds remain safe, with no immediate action required.
Read Next
Ripple Secures DFSA Crypto Payments License in UAE
Ripple obtains a DFSA licence in the Emirates to offer cryptocurrency payments, strengthening its global presence in the financial sector.
SEC May Drop Ripple Lawsuit Soon
The SEC may withdraw its lawsuit against Ripple. According to sources, the change in leadership and new regulatory strategies could favour XRP.
Abu Dhabi's $2B Investment in Binance
MGX, Abu Dhabi's sovereign wealth fund, invested $2 billion in Binance, marking the largest institutional investment in the cryptocurrency sector to date.
Chatbot Grok Launches Token via Bankr, Raises $270K
Chatbot Grok launches its token via Bankr, raising $270K. An important step in the integration of AI and blockchain.