Ledger attacked Trezor this week in one of their blog post and Trezor promptly responded to the allegations. Both companies mentioned facts and explained their viewpoint. However, to the average reader, the matter might not be very insightful. So who had the better arguments in the end?
Ledger’s and Trezor’s “Shared Security”
Ledger tried to suggest that publicly disclosing these “vulnerabilities” was their responsibility. They named their article “Our Shared Security” and tried to paint a picture in which the two companies sit in the same boat facing the same problems. Ledger, of course, the superior sailor tried to warn Trezor about the difficulties they both face and reported all vulnerabilities to them. But Ledger just did not want to listen. “Don’t use Trezor, boys and girls!”
Trezor‘s response poses automatically the question if Ledger itself is able to withstand similar attacks on its devices. However, they abstained from accusing Ledger of the same vulnerabilities. Either because Ledger truly found better solutions for these vulnerabilities which is what Ledger was trying to suggest in the first place. Or because they don’t want to reproduce the same unprofessional behavior that Ledger showed this week.
Trezor evidently was in a defensive position as they solely answered to the allegations. Denied them where possible, admitted them where necessary and even thanked Ledger for pointing them to the vulnerabilities:
“We would like to thank Ledger for practically demonstrating the attack that we have been aware of since designing Trezor. Because we realize no hardware is 100% safe, we introduced the concept of passphrase; that besides plausible deniability eliminates many kinds of physical attacks, like this one.”
— Marek Palatinus, CEO SatoshiLabs
However, they noted as well:
“No hardware is unhackable, and depending on what your security model is, there are tools which you can use to mitigate threats.”
The Moral Winner
A similar offensive response by Trezor might have turned the quarrel into a true mud fight. What Trezor writes in their blog is true: Physical access to your device is exposing your funds to attackers and this will probably stay a possible risk in the future. However, by setting up a passphrase the risks can be mitigated, as Trezor wrote in their blog. The same accounts for Ledger as well.
Therefore, all in all, the moral victory definitely goes to Trezor. But does Trezor now produce better hardware wallets than Ledger? Unfortunately, you still have to find out yourself. Either by testing their products yourself or by reading reviews or blogs like that of Saleem Rashid who has uncovered vulnerabilities of Ledger and Trezor devices alike in the past.