Ledger CSO Exposes Security Flaws in Trezor Wallet: Calls it “Completely Broken”

Mar 12 2019

Ledger and Trezor are two of the biggest names when it comes to hardware cryptocurrency wallets. Both the companies have been around for quite a long while and continue to be close rivals. This weekend, however, Ledger took a major shot at Trezor, as the company CSO bashed the security of Trezor wallets, calling them ‘completely broken’. 

Ledger has its own hacking lab in Paris, known as ‘Ledger Donjon’, where it not only gives a detailed look to its products but also at its competition. Charles Guillmet, the CSO of Ledger attacked Trezor at the MIT Bitcoin Expo 2019, where he pointed out that there are a number of flaws in the wallets that their competition creates. The CSO was backed by the firm, which claimed in a blog post that since they are into security, it is their responsibility to report any flaws in their competitors' products as well. 

The company pointed out that they found five major vulnerabilities on the wallets developed by Trezor and informed them three months ago. Ledger granted Trezor with a ‘responsible disclosure period’ to fix these vulnerabilities, as well as two extensions too. However, now that the disclosure period is over, Ledger decided to make some of these vulnerabilities public. 

Vulnerabilities in the Trezor Hardware Wallets

Ledger pointed out four major flaws and vulnerabilities in Hardware Wallets made by Trezor:

  • First off, there are problems related to the ‘genuineness’ of the device. Basically, this means that there is a possibility for hackers to clone these devices. The only response that Trezor took here was that users should by the wallets only from their official website. 

  • Ledger further pointed out that the PIN system that their competitor employs is a rather weak one. Ledger added that “On a found or stolen device, it is possible to guess the value of the PIN using a Side Channel Attack.” Ledger pointed out that it took them five tries to break through this system.

  • The third and the fourth vulnerabilities concern the confidentiality of the data that is stored inside these hardware wallets. Ledger pointed out that the private key and the seed stored inside the Trezor wallet is not safe. An exploit involving the flash memory can be used to circumvent the security measures. The company further pointed out that this exploit is unfixable! Here’s what Trezor said:

  • This vulnerability can not be patched – for this reason, we have elected not to disclose its technical details. It could also be mitigated by users adding a strong passphrase to their device.

These are some serious issues that Ledger has raised about their competitors. If these vulnerabilities indeed exist, Trezor must act fast towards fixing them or coming out with safer devices which ensure that the funds of the users remain safe! Stay tuned with us at Cryptoground for more news stories and updates from the world of cryptocurrencies and the blockchain technology! 

Comments