On March 11, the major provider of hardware bitcoin wallets Ledger has unveiled results of the research carried out by its security division in which the company reported a number of vulnerabilities in Trezor wallet, Ledger's key rival.
Ledger in the released report stated that its division Attack Lab detected certain vulnerabilities of Trezor wallets. Attack Lab was launched for boosting security via hacking both company's and competitors' products.
The report reads:
"We are constantly attempting to hack into our own devices to ensure that we maintain the highest standards of security, and get in front of new methods from increasingly sophisticated attackers. We deploy these same methods to our competitor’s device because we have a shared responsibility in guaranteeing a high level of security for the entire industry,"
As the company representative stated, they appealed to Trezor's team regarding discovered security issues in Trezor One and Trezor T, and decided to make the report public once the responsible disclosure period expired.
The discovered vulnerabilities are reportedly connected with the authenticity of the devices, PIN code hack, Secure Element replacement and security model.
According to the report, Trezor's wallet can be easily imitated via hacking it with malware with further reboxing. Ledger highlighted that the stamp that is said to prevent unauthorised access can be taken away and falsified.
The second issue covered PIN code hack. In particular, Ledger experts managed to crack the password via a side channel.
"Our security analysis found that, on a found or stolen device, it is possible to guess the value of the PIN using a Side Channel Attack. This Side Channel Attack consists of presenting a random PIN and then measuring the power consumption of the device when it compares the presented PIN with the actual value of the PIN," according to the findings.
As for the remaining vulnerabilities, the company believes that Trezor should replace Secure Element microchip which may help to prevent possible heist of personal data kept at the devices. Hackers can withdraw all the data from flash drive via physical access and thus steal the funds.
The last vulnerability involves a crypto library. As Attack Lab said, they checked "the implementation of the crypto library of the Trezor One" and discovered that the wallet lacks "proper countermeasures against Hardware Attacks except for the Scalar Multiplication function (which could be a cause for concern in its own right)".
Meanwhile, Trezor representatives are yet to comment on these findings.