In the field of hardware wallets for cryptocurrencies, there are two companies that dominate the market: Ledger and Trezor. The Ledger wallet became particularly well known for the familiar shape of a USB stick and became the most popular form of safe storage of its coins and tokens. The French company has now published a report that should identify five security gaps in Trezor's hardware wallet. Which they are and why they are not as dramatic as they may appear at first glance.
4 vulnerabilities in Trezor ONE and Trezor T
Hardware wallet producer Ledger, headquartered in Paris released yesterday, March 12, 2019, a report that uncovered four vulnerabilities in competitor hardware. With the words: "Safety is at the forefront of everything we do at Ledger - it is included in every product we sell and in every decision we make. Every day we challenge ourselves to create technologies and products that are even better and safer."the company begins its report.
As the global leader in blockchain security solutions, we think that our quest for security doesn't just affect us. We have a responsibility to increase security across the blockchain economy.
The four vulnerabilities found for the Trezor Hardware Wallet are the following:
- Authenticity of the device: The Trezor wallet can be copied unrecognizable, which is not recognized by customers. If a customer receives a counterfeit device, the fraudsters have access to all of the victims' cryptocurrencies. The security seal can be removed unnoticed with a warm scalpel.
- PIN security: According to Ledger, pin security is not impossible to manipulate. With a "Side Channel Attack" it should be possible to guess the PIN code of a stolen device.
- Confidentiality of the data within the device (Trezor ONE and Trezor T): A thief in possession of the wallet can gain access to the device's flash memory and thus steal all cryptocurrencies. This error cannot be fixed with a simple patch.
- Analysis of the cryptographic stack: an attacker in possession of the wallet could gain access to the private keys. To do this, the hacker must know the device's PIN code.
Trezor responds to the allegations
Safe deposit leaves the Vorwürf to of the direct competitor Ledger of course not just sit on and responds accordingly in the form of a blog post on their website. To it to be brief: 2 of the 4 security holes have already been patched. According to Trezor, all manufacturers are struggling with the security gap that the device can be copied and the security seal can be removed. So far, no 100% secure solution has been presented. Ledger himself mentioned that one needs the device's PIN for one of the security holes.
Particularly important: Trezor notes that none of these vulnerabilities are remotely controlled can be. Without exception, the hacker always needs physical access to the device.
In summary, there is a high probability that there will always be gaps in the security system of a hardware wallet. After all, these are "only" made by humans.