The producer of hardware crypto wallets – Trezor – eventually responded to the report made by its main rival Ledger that cited a number of discovered vulnerabilities in its products.
The company has released an official statement regarding the recent report by Ledger, in which it unveiled a number of vulnerabilities in Trezor's wallets. At the same time, Trezor representative highlighted that the market lacks the product that would provide 100% security, and thus every producer is striving to find ways to eliminate this problem.
The company noted in the report:
"Starting off, we would like to highlight the fact that none of these attacks is exploitable remotely. All of the demonstrated attack vectors require physical access to the device, specialized equipment, time, and technical expertise."
Trezor's team has studied the vulnerabilities discovered and reported by the Ledger experts and provided comments on each of them.
Specifically, supply chain issue is said to create challenges for all players in the market, as "a piece of hardware" cannot check itself regarding integrity. However, the company stated that all production facilities are located in Europe and thus it strictly supervises and monitors all the phases of the process.
Trezor also fixed the problem which might allow side channel PIN attack via back-porting data storage method at the subject wallets.
"Side-channeling the PIN on Trezor One was indeed impressive and we commend Ledger’s effort," commented the company.
Notably, another issue covering side channel attack via scalar manipulation was also settled down. In particular, it was mentioned in the report that hackers could not apply this method as they would be asked to enter PIN anyway.
Trezor spokesperson also added citing the fifth issue that the company recommends setting up phrase password to boost protection of the wallets against physical attacks. This option is said to "completely mitigate this attack vector".
For reference, Ledger released its findings regarding Trezor's vulnerabilities on March 12 released its findings regarding Trezor's vulnerabilities on March 12.
"We would like to thank Ledger for practically demonstrating the attack that we have been aware of since designing Trezor. Because we realize no hardware is 100% safe, we introduced the concept of passphrase; that besides plausible deniability eliminates many kinds of physical attacks, like this one," summarized Marek Palatinus.