ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
Monday Mar 25th 2019
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us

Ledger Finds Vulnerabilities In Trezor Hardware Wallets

By

Nicholas

Ruggieri

WriterETHNews.com

Trezor’s late response shows the company has a lot of confidence in its customers. Unfortunately, it can’t really account for wealthy criminals.

Hardware wallet developer Ledger took to its blog on March 11 to outline five vulnerabilities the company claims to have found in two hardware wallet models from manufacturing competitor Trezor. The vulnerabilities were found by Attack Lab, a department at Ledger that hacks its own and competitors' wallets to find any security issues in order to contribute to the "shared responsibility in guaranteeing a high level of security for the entire industry."

According to the blog post, Ledger's findings pertain to the Trezor One and the Trezor Model T, though the analysis heavily focused on the Trezor One. The post also clarifies that Trezor was notified about four months ago regarding the five vulnerabilities and were then given a "responsible disclosure period" to fix the vulnerabilities before Ledger published its analysis.

Ledger's Findings

The first issue Ledger makes note of is the "genuineness" of the Trezor devices. In its post, the company claims to have been able to manufacture fake devices that were exact clones of the Trezor wallets. They were also able to open the box of a Trezor wallet, install malware that gives the attacker complete control over the code running on the device, and then reseal the box without breaking the tamper-proof sticker "aimed at protecting against such attacks." Though all the vulnerabilities were reported to Trezor, this is the only one Ledger says Trezor responded to. Trezor argued that "users won't be exposed to this issue if they purchase their products directly from the Trezor website."

Next, Ledger says it was able to guess the wallet's PIN using a side-channel attack that "consists of presenting a random PIN and then measuring the power consumption of the device when it compares the presented PIN with the actual value of the PIN." The PIN gives users access to the device and the funds held within. The post does note that this vulnerability was patched out by Trezor in a firmware update. It is the only vulnerability Ledger indicates has been fixed.

The third and fourth vulnerabilities deal with an attacker's physical access to the Trezor wallets. According to Ledger, with physical access, an attacker can extract all of the data stored on the wallet's memory, and therefore gain control of the assets stored on the device. Ledger specifically notes that this vulnerability cannot be patched out and recommends users add a strong pass phrase to their device.

The last vulnerability outlined by Ledger has to do with the Trezor wallets' scalar multiplication function. According to the post, scalar multiplication is the core function for signing transactions, meaning it deals with the user's private key. Ledger found that the scalar multiplication function was vulnerable to a side-channel attack, making it possible to extract the key from the wallet.

Trezor's Response

After seemingly meeting Ledger's vulnerability report with a bit of awkward silence four months ago, Trezor published a post on Medium today, March 12, explaining that Ledger's vulnerabilities are not critical to hardware wallets as they all require "physical access to the device, specialized equipment, time, and technical expertise." Trezor goes on to state it has patched two of the vulnerabilities and found the scalar multiplication issue non-exploitable as the attacker would need the PIN. As for the claims made against the genuineness of the wallets, Trezor states there is "no 100% solution" to mitigate against this kind of attack.

Although Trezor's post covers what it is doing or has done to prevent the security issues and thanks Ledger for demonstrating the possible weaknesses in its wallets, the company's response as a whole is discombobulated. Trezor asserts in its post that perfect physical security is an unreachable goal, making note of the possibility of "$5 wrench attacks" – targeted thefts in which victims are forced to disclose their password. Trezor then asserts that with a strong pass phrase and an understanding of the company's operational security principles, "even the physical attacks presented by Ledger cannot affect Trezor users." However, Trezor then goes on to admit that if an attacker had enough time, money, and resources, "no hardware barriers will stand against their attacks."

Nicholas Ruggieri

Nicholas Ruggieri studied English with an emphasis in creative writing at the University of Nevada, Reno. When he’s not quoting Vines at anyone who’s willing to listen, you’ll find him listening to too many podcasts, reading too many books, and crocheting too many sweaters for his dogs, RT and Peterman.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest Ledger, Trezor or other Ethereum wallets and exchanges news.