Ledger reported a vulnerability in the Safe 3 and 5 models to Trezor. Trezor has already released a patch to resolve the security issue.
Hardware wallet vendor Ledger has demonstrated to Trezor that it can bypass security controls on the Trezor Safe 3 and 5 models, prompting Trezor to fix the vulnerability.
Hardware wallet vendor Trezor has fixed a security vulnerability in two of its latest models after Ledger's open-source research unit discovered a flaw in its microcontrollers.
Ledger Donjon acknowledged that Trezor has made several security improvements recently, but noted that cryptographic operations can still be performed on the microcontroller in the Trezor Safe 3 and 5 models, making them 'vulnerable to more sophisticated attacks'.
Unfortunately, Trezor has already patched the discovered vulnerabilities, Ledger CTO Charles Guillemet said in a 12 March post.
At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security research.
We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here's a thread on our findings:🧵 pic.twitter.com/CORDOQWRYg
"We believe that improving the security of the ecosystem is beneficial for everyone and essential to encourage greater adoption of cryptocurrencies and digital assets," Guillemet added.
Trezor has already implemented 'Secure Elements' chips designed to protect user PIN and cryptographic secrets, as some Trezor devices could be hacked by modifying the software they run on, potentially allowing attackers to steal users' funds.
The Secure Elements feature "effectively prevents any low-cost hardware attacks, particularly power failures," Ledger said in a 12 March announcement.
"This ensures users the security of their funds even if the device is lost or stolen." However, Ledger discovered another potential attack vector coming from the microcontroller, the other core element of the dual-chip design of Trezor's Safe 3 and 5 models.
Trezor implemented a firmware integrity check to detect tampered software, but Ledger was able to demonstrate that an attacker could still bypass this security check.
Since then, Trezor has fixed the problem, although neither Ledger nor Trezor has explained how.
Trezor confirmed on X that users' funds remain safe, and that no action is needed.
Hi, your funds remain safe, and you need not take any action. Ledger Donjon reused a previously known attack to bypass some of our countermeasures against supply chain attacks in Trezor Safe 3. Nevertheless, users who purchase from official sources are fully secure🔒
However, when asked if Trezor had been able to correct the problem with a firmware update, the hardware wallet vendor replied: "Unfortunately not.
"In cybersecurity, the golden rule is simple: nothing is completely invulnerable. This is why we have already implemented multi-layered protection against supply chain attacks and always advise our users to buy from official sources."
In December 2023, a hacker compromised Ledger's connector library and stole cryptocurrencies worth $484,000.
Another attacker, who hacked Ledger's systems, published the email addresses of approximately 270,000 Ledger customers in June 2020.
Although Trezor has patched the latest security vulnerabilities identified by Ledger, concerns remain over potential attack vectors through the microcontroller.
Both companies emphasise the importance of continuous security improvements and multi-layered protection to protect users' funds. Despite past breaches that have affected the cryptocurrency hardware wallet industry, Trezor reassures users that their funds remain safe, with no immediate action required.
CZ, former CEO of Binance, did not recognise a deepfake video with his own voice. Artificial intelligence replicates faces and sounds with dangerous accuracy.
The 'Base is for everyone' token, launched as an experiment on Zora by the Base team (Coinbase), collapsed by 95% after a rapid surge and accusations of insider trading.
Hardware wallet vendor Ledger has demonstrated to Trezor that it can bypass security controls on the Trezor Safe 3 and 5 models, prompting Trezor to fix the vulnerability.
Hardware wallet vendor Trezor has fixed a security vulnerability in two of its latest models after Ledger's open-source research unit discovered a flaw in its microcontrollers.
Ledger Donjon acknowledged that Trezor has made several security improvements recently, but noted that cryptographic operations can still be performed on the microcontroller in the Trezor Safe 3 and 5 models, making them 'vulnerable to more sophisticated attacks'.
Unfortunately, Trezor has already patched the discovered vulnerabilities, Ledger CTO Charles Guillemet said in a 12 March post.
X
Trezor has already implemented 'Secure Elements' chips designed to protect user PIN and cryptographic secrets, as some Trezor devices could be hacked by modifying the software they run on, potentially allowing attackers to steal users' funds.
The Secure Elements feature "effectively prevents any low-cost hardware attacks, particularly power failures," Ledger said in a 12 March announcement.
Trezor Resolves Firmware Integrity & Check Vulnerability
Trezor implemented a firmware integrity check to detect tampered software, but Ledger was able to demonstrate that an attacker could still bypass this security check.
Since then, Trezor has fixed the problem, although neither Ledger nor Trezor has explained how.
Trezor confirmed on X that users' funds remain safe, and that no action is needed.
X
However, when asked if Trezor had been able to correct the problem with a firmware update, the hardware wallet vendor replied: "Unfortunately not.
In December 2023, a hacker compromised Ledger's connector library and stole cryptocurrencies worth $484,000.
Another attacker, who hacked Ledger's systems, published the email addresses of approximately 270,000 Ledger customers in June 2020.
Although Trezor has patched the latest security vulnerabilities identified by Ledger, concerns remain over potential attack vectors through the microcontroller.
Both companies emphasise the importance of continuous security improvements and multi-layered protection to protect users' funds. Despite past breaches that have affected the cryptocurrency hardware wallet industry, Trezor reassures users that their funds remain safe, with no immediate action required.
Read Next
Auradine Raises $153 Million During Mining Crisis
Auradine raises $153 million during the mining crisis.
Deepfake AI Imitates CZ Of Binance In Disturbing Ways
CZ, former CEO of Binance, did not recognise a deepfake video with his own voice. Artificial intelligence replicates faces and sounds with dangerous accuracy.
Experimental Token On Base Crashes By 95%
The 'Base is for everyone' token, launched as an experiment on Zora by the Base team (Coinbase), collapsed by 95% after a rapid surge and accusations of insider trading.
KiloEx Offers $700,000 to Hacker After Oracle Attack
KiloEx offers $700,000 to the hacker to return the stolen funds after an oracle attack that caused the platform to lose $7 million.