Ledger Exposes Trezor Wallet Vulnerabilities

Reading Time: 2 minutes

The Ledger vs Trezor turf war isn’t exactly up there with 1980s LA, but the heat was turned up over the weekend by Ledger’s Chief Security Officer Charles Guillmet. Shocking many, he exposed a number of physical vulnerabilities with rival Trezor’s devices at the MIT Bitcoin Expo in Boston. According to Guillmet, Ledger’s “world-class security team” regularly hack not just their own devices but also those of the competition to expose security vulnerabilities, and their most recent bout of testing revealed a number of flaws in various Trezor models, which the team presented live at the event four months after informing Trezor.

Side Channel Attacks and Warm Scalpels

The vulnerabilities discovered by the Ledger team were:

  • The security seal applied to Trezor packaging that is supposed to guarantee that the device hasn’t been tampered with after production can be easily removed and with a warm scalpel and replaced at a later date.
  • A Side Channel Attack can both work out the Trezor’s access PIN and also extract the device’s secret key, granting access.
  • An attacker with physical access to the device can extract all the data stored within the flash memory, a vulnerability that Ledger feel “can not be patched”.

In a blog post that accompanied the Bitcoin Expo talk, Guillmet describes his team’s actions following the discovery of the flaws in the Trezor devices:

“Notably, about four months ago we contacted Trezor to share five vulnerabilities our Attack Lab uncovered… We responsibly disclosed these vulnerabilities to the vendor, allowing them to take appropriate measures for protecting their users. Now that the responsible disclosure period, including the two extensions, has expired, we wanted to share details with you in the spirit of full awareness and transparency.”

Trezor Yet to Respond

Whether revealing the exploits to a live audience as part of a conference constitutes responsible behaviour is debatable, but at the very least they have informed the community who can now take appropriate measures. Trezor are yet to respond to the Ledger allegations, although responses on social media ranged from anger at Ledger to debunking the threat level:

This shot across the bows from Ledger comes hot on the heels of the discovery earlier this month that the latest firmware update for the Ledger Nano S contained a “critical security fix”, which could have seen all BTC held on the device being stolen by hackers.