Trezor Responds to Ledger’s Vulnerability Allegations

Ledger accused its competitor Trezor yesterday of 5 vulnerabilities, some of which it has not yet fixed We reported yesterday about this in our Daily Roundup. Yesterday, Trezor responded to the allegations with a blog post. Trezor answered to all five vulnerabilities that Ledger accused them of not having fixed.

Supply Chain Attack

Ledger wrote on Monday that „[a]n attacker could buy several devices, backdoor them, and then send them back asking for reimbursement (using withdrawal period).“

The Czech Hardware Wallet Manufacturer answered in a general manner by stating that “Supply Chain Attacks are an everlasting problem for all hardware devices (not only wallets).“ Interestingly, Trezor did not point out that Ledger wallets are susceptible to the same attacks. As this is what Ledger is trying to suggest.

Secure PIN protection

The second vulnerability, which Ledger cited under „Secure PIN protection“, is no real vulnerability as Trezor points out under „Software Crappy Attack“: „During the Trezor codebase testing, Ledger researchers only found two issues, confirming that our code stands strong against malicious actors. Although these vulnerabilities were unexploitable, we fixed them anyway.“

Side Channel Attack

The third vulnerability is a so-called Side Channel Attack which requires physical access to a device. Trezor commends Ledger for having successfully conducted such an attack. However, they claim that „[t]his attack vector was closed by back-porting the way to store data on Trezor Model T to Trezor One.“

Side Channel Attack Scalar Multiplication

The fourth vulnerability dubbed „Side Channel Attack Scalar Multiplication“ requires an attacker to have access to pin, password and the device of a user. Therefore, Trezor concludes: „[H]aving all this the attacker can send all the funds from the hardware device anyway.“

Surprise Concluding Attack

The last vulnerability Ledger reported is the Surprise Concluding Attack. A vulnerability that does not only concern hardware wallets. According to Trezor‘s blog post, the company was „surprised by Ledger’s announcement of this issue.” Especially after “being explicitly asked by Ledger not to publicize the issue, due to possible implications for the whole microchip industry, beyond hardware wallets, such as the medical and automotive industries.“

The Czech company further states that it is in talks with the manufacturer of its chips (ST). Therefore, it assures that it could not provide any further details.

Trezor closed its blog post by indicating that „[n]o hardware is unhackable, and depending on what your security model is, there are tools which you can use to mitigate threats“, and by giving their users some final tips for the safe usage of their Trezors.