Ledger reported a vulnerability in the Safe 3 and 5 models to Trezor. Trezor has already released a patch to resolve the security issue.
Hardware wallet vendor Ledger has demonstrated to Trezor that it can bypass security controls on the Trezor Safe 3 and 5 models, prompting Trezor to fix the vulnerability.
Hardware wallet vendor Trezor has fixed a security vulnerability in two of its latest models after Ledger's open-source research unit discovered a flaw in its microcontrollers.
Ledger Donjon acknowledged that Trezor has made several security improvements recently, but noted that cryptographic operations can still be performed on the microcontroller in the Trezor Safe 3 and 5 models, making them 'vulnerable to more sophisticated attacks'.
Unfortunately, Trezor has already patched the discovered vulnerabilities, Ledger CTO Charles Guillemet said in a 12 March post.
At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security research.
We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here's a thread on our findings:🧵 pic.twitter.com/CORDOQWRYg
"We believe that improving the security of the ecosystem is beneficial for everyone and essential to encourage greater adoption of cryptocurrencies and digital assets," Guillemet added.
Trezor has already implemented 'Secure Elements' chips designed to protect user PIN and cryptographic secrets, as some Trezor devices could be hacked by modifying the software they run on, potentially allowing attackers to steal users' funds.
The Secure Elements feature "effectively prevents any low-cost hardware attacks, particularly power failures," Ledger said in a 12 March announcement.
"This ensures users the security of their funds even if the device is lost or stolen." However, Ledger discovered another potential attack vector coming from the microcontroller, the other core element of the dual-chip design of Trezor's Safe 3 and 5 models.
Trezor implemented a firmware integrity check to detect tampered software, but Ledger was able to demonstrate that an attacker could still bypass this security check.
Since then, Trezor has fixed the problem, although neither Ledger nor Trezor has explained how.
Trezor confirmed on X that users' funds remain safe, and that no action is needed.
Hi, your funds remain safe, and you need not take any action. Ledger Donjon reused a previously known attack to bypass some of our countermeasures against supply chain attacks in Trezor Safe 3. Nevertheless, users who purchase from official sources are fully secure🔒
However, when asked if Trezor had been able to correct the problem with a firmware update, the hardware wallet vendor replied: "Unfortunately not.
"In cybersecurity, the golden rule is simple: nothing is completely invulnerable. This is why we have already implemented multi-layered protection against supply chain attacks and always advise our users to buy from official sources."
In December 2023, a hacker compromised Ledger's connector library and stole cryptocurrencies worth $484,000.
Another attacker, who hacked Ledger's systems, published the email addresses of approximately 270,000 Ledger customers in June 2020.
Although Trezor has patched the latest security vulnerabilities identified by Ledger, concerns remain over potential attack vectors through the microcontroller.
Both companies emphasise the importance of continuous security improvements and multi-layered protection to protect users' funds. Despite past breaches that have affected the cryptocurrency hardware wallet industry, Trezor reassures users that their funds remain safe, with no immediate action required.
Bitcoin fell sharply to $93,000, triggering liquidations of $510M in 24 hours and wiping out all gains for the year. The Fear and Greed index dropped to 10, signalling panic among traders.
Arthur Hayes, former CEO of BitMEX, urged Zcash (ZEC) holders to withdraw their coins from exchanges and move them to shielded addresses, revealing that ZEC is now his second largest position.
The price of XRP falls 7 per cent on the eve of the launch of the first US spot ETF managed by Canary Capital, as traders weigh hype, deleveraging and the risk of the classic 'sell the news'.
Tether moves like a sovereign wealth fund: it hires traders from HSBC and accumulates billions in physical gold. The strategy, which mirrors the behaviour of central banks, marks a break from dependence on the US dollar.
Hardware wallet vendor Ledger has demonstrated to Trezor that it can bypass security controls on the Trezor Safe 3 and 5 models, prompting Trezor to fix the vulnerability.
Hardware wallet vendor Trezor has fixed a security vulnerability in two of its latest models after Ledger's open-source research unit discovered a flaw in its microcontrollers.
Ledger Donjon acknowledged that Trezor has made several security improvements recently, but noted that cryptographic operations can still be performed on the microcontroller in the Trezor Safe 3 and 5 models, making them 'vulnerable to more sophisticated attacks'.
Unfortunately, Trezor has already patched the discovered vulnerabilities, Ledger CTO Charles Guillemet said in a 12 March post.
X
Trezor has already implemented 'Secure Elements' chips designed to protect user PIN and cryptographic secrets, as some Trezor devices could be hacked by modifying the software they run on, potentially allowing attackers to steal users' funds.
The Secure Elements feature "effectively prevents any low-cost hardware attacks, particularly power failures," Ledger said in a 12 March announcement.
Trezor Resolves Firmware Integrity & Check Vulnerability
Trezor implemented a firmware integrity check to detect tampered software, but Ledger was able to demonstrate that an attacker could still bypass this security check.
Since then, Trezor has fixed the problem, although neither Ledger nor Trezor has explained how.
Trezor confirmed on X that users' funds remain safe, and that no action is needed.
X
However, when asked if Trezor had been able to correct the problem with a firmware update, the hardware wallet vendor replied: "Unfortunately not.
In December 2023, a hacker compromised Ledger's connector library and stole cryptocurrencies worth $484,000.
Another attacker, who hacked Ledger's systems, published the email addresses of approximately 270,000 Ledger customers in June 2020.
Although Trezor has patched the latest security vulnerabilities identified by Ledger, concerns remain over potential attack vectors through the microcontroller.
Both companies emphasise the importance of continuous security improvements and multi-layered protection to protect users' funds. Despite past breaches that have affected the cryptocurrency hardware wallet industry, Trezor reassures users that their funds remain safe, with no immediate action required.
Read Next
Bitcoin Collapse: Half a Billion Liquidations and 2025 Gains Wiped Out
Bitcoin fell sharply to $93,000, triggering liquidations of $510M in 24 hours and wiping out all gains for the year. The Fear and Greed index dropped to 10, signalling panic among traders.
Arthur Hayes Pushes Zcash Towards 'Shield': Halving and Regulatory Risks in Focus
Arthur Hayes, former CEO of BitMEX, urged Zcash (ZEC) holders to withdraw their coins from exchanges and move them to shielded addresses, revealing that ZEC is now his second largest position.
The First Spot ETF on XRP in the US Is imminent, but the Price Falls Early
The price of XRP falls 7 per cent on the eve of the launch of the first US spot ETF managed by Canary Capital, as traders weigh hype, deleveraging and the risk of the classic 'sell the news'.
From Stablecoin to Sovereign Wealth Fund: Tether's Gold Turn Abandoning the Dollar
Tether moves like a sovereign wealth fund: it hires traders from HSBC and accumulates billions in physical gold. The strategy, which mirrors the behaviour of central banks, marks a break from dependence on the US dollar.