Hardware wallet provider Trezor has patched up a security flaw in two of its latest models after competitor firm Ledger’s open-source research arm discovered a vulnerability in their microcontrollers.
Ledger Donjon acknowledged Trezor has made several security advancements of late but found cryptographic operations could still be performed on the microcontroller of Trezor’s Safe 3 and 5 models, which could make them “vulnerable to more advanced attacks.”
Fortunately, Trezor has since addressed the vulnerabilities found, Ledger’s chief technology officer Charles Guillemet said in a March 12 X post.
“We believe that making the ecosystem more secure helps everyone, and is critical as we push towards broader adoption of crypto and digital assets,” Guillemet added.
Source: Charles Guillemet
Trezor had already implemented “Secure Elements” — chips designed to protect the user’s PIN code and cryptographic secrets — as some of Trezor’s devices could be tampered with by modifying the software running on it, potentially allowing threat actors to steal user funds.
The Secure Elements feature “effectively thwarts any inexpensive hardware attack, in particular voltage glitching,” Ledger said in a March 12 post.
“[This] gives users confidence that their funds are safe even if their device gets misplaced or stolen.”
However, Ledger found another potential attack vector stemmed from the microcontroller, the other main part of Trezor’s two-chip design for its Safe 3 and 5 models.
Trezor implemented a firmware integrity check to detect modified software, but Ledger was able to demonstrate that an attacker could still bypass this security check.
This issue has since been resolved by Trezor — though neither Ledger nor Trezor have explained how. Cointelegraph reached out to Trezor but didn’t receive an immediate response.
Trezor’s microcontroller in the Trezor Safe 3 model. Source: Ledger
Trezor confirmed on X that user funds remain safe and that no action is required.
Related: ‘Dark Skippy’ method can steal Bitcoin hardware wallet keys
However, when asked whether Trezor was able to patch this issue via firmware, the hardware wallet provider responded: “Unfortunately not.”
“In cybersecurity, the golden rule is simple: nothing is fully unbreakable. That’s why we have already implemented a multi-layer defense against supply chain attacks and always advise our users to purchase from official sources.”
Ledger isn’t immune to security vulnerabilities either.
In December 2023, a hacker committed a security breach into Ledger’s connector library and stole $484,000 worth of crypto assets.
Another threat actor who breached Ledger’s systems published the mailing addresses of around 270,000 Ledger customers in June 2020.
Magazine: Crypto fans are obsessed with longevity and biohacking: Here’s why
