Ledger report: Trezor wallets have a number of vulnerabilities

Posted 12 March, 2019

On March 11, the major provider of hardware bitcoin wallets Ledger has unveiled results of the research carried out by its security division in which the company reported a number of vulnerabilities in Trezor wallet, Ledger's key rival.

Ledger in the released report stated that its division Attack Lab detected certain vulnerabilities of Trezor wallets. Attack Lab was launched for boosting security via hacking both company's and competitors' products. 

The report reads:

"We are constantly attempting to hack into our own devices to ensure that we maintain the highest standards of security, and get in front of new methods from increasingly sophisticated attackers. We deploy these same methods to our competitor’s device because we have a shared responsibility in guaranteeing a high level of security for the entire industry," 

As the company representative stated, they appealed to Trezor's team regarding discovered security issues in Trezor One and Trezor T, and decided to make the report public once the responsible disclosure period expired.

The discovered vulnerabilities are reportedly connected with the authenticity of the devices, PIN code hack, Secure Element replacement and security model.
According to the report, Trezor's wallet can be easily imitated via hacking it with malware with further reboxing. Ledger highlighted that the stamp that is said to prevent unauthorised access can be taken away and falsified.

The second issue covered PIN code hack. In particular, Ledger experts managed to crack the password via a side channel.

"Our security analysis found that, on a found or stolen device, it is possible to guess the value of the PIN using a Side Channel Attack. This Side Channel Attack consists of presenting a random PIN and then measuring the power consumption of the device when it compares the presented PIN with the actual value of the PIN," according to the findings.

As for the remaining vulnerabilities, the company believes that Trezor should replace Secure Element microchip which may help to prevent possible heist of personal data kept at the devices. Hackers can withdraw all the data from flash drive via physical access and thus steal the funds.

The last vulnerability involves a crypto library. As Attack Lab said, they checked "the implementation of the crypto library of the Trezor One" and discovered that the wallet lacks "proper countermeasures against Hardware Attacks except for the Scalar Multiplication function (which could be a cause for concern in its own right)".

Meanwhile, Trezor representatives are yet to comment on these findings.

Previous story

12 March, 2019 13:00

← Overstock announcement: Medici Ventures buys 5.1% stake in Bankours

The top player in the retail sales market Overstock has reportedly bought shares of blockchain-based banking project Bankours via Medici Ventures, its division aimed at blockchain investments. Overstock's investment division owns a 5.1% stake in Bankours company. The latter represents a blockchain-based platform that offers institutions and individuals buy/sell, store and lend cryptocurrencies. 

Overstock announcement: Medici Ventures buys 5.1% stake in Bankours

Next story

11 March, 2019 18:14

Deutsche Börse, Swisscom and Sygnum focus on new joint crypto ecosystem →

Germany's top stock exchange –  Deutsche Börse – entered into a strategic partnership with two Swiss companies to create a trusted crypto ecosystem. The partnership agreement was signed with Swiss state information and communication technology company Swisscom and Swiss-Singapore fintech company Sygnum.The new project will be designed "to jointly build out and grow a trusted and regulatory compliant financial market infrastructure for digital assets".

Deutsche Börse, Swisscom and Sygnum focus on new joint crypto ecosystem
Write a comment
Prove you’re not a bot + 10 = 23