Cryptocurrency tech and wallet creator Ledger has hammered competitor Trezor in a blog post today. Ledger operates an internal team of friendly hackers to test their software/hardware – as well as their competitors. The Ledger Donjon, described as a “world class security team” based in their Paris offices did a deep dive of Trezor and the results were not very encouraging.
Ledger Donjon allegedly uncovered five vulnerabilities at Trezor. After a “responsible” disclosure period only a couple have been patched – even after apparently giving Tresor an extension.
“Notably, about four months ago we contacted Trezor to share five vulnerabilities our Attack Lab uncovered. As always, we gave Trezor a responsible disclosure period to work on these vulnerabilities, even granting them two extensions.
The analysis encompassed both of Trezor’s hardware wallets (Trezor One, Trezor T), focusing on the Trezor One. It also applies to clones of Trezor wallets. We responsibly disclosed these vulnerabilities to the vendor, allowing them to take appropriate measures for protecting their users. Now that the responsible disclosure period, including the two extensions, has expired, we wanted to share details with you in the spirit of full awareness and transparency. A full recap of the results can be found below.”
Ledger said the Trezor device can be imitated thus bad actors can theoretically manufacturer fake crypto wallets. This is an issue that can be resolved.
Regarding stolen devices, Ledger says it is possible to guess the PIN using a Side Channel Attack.
Another reported problem is a nefarious user with access to the actual device can apparently extract all of the data stored within the flash memory. Not a good outcome. Ledger says this weakness cannot be patched.
The implementation of the crypto library apparently can be accessed with a “digital oscilloscope, and a few measurements.”
Wallet hacks have emerged as a pressing issue within the crypto/digital asset sector. Custody of crypto is typically held at exchanges or personal devices. Some investors actually just write the information down and store it on paper.