Ledger Helps Trezor Address Security Vulnerability in Latest Hardware Wallet Models

Trezor, a leading provider of hardware wallets, has successfully patched a security vulnerability discovered by its competitor, Ledger. The flaw, found in Trezor’s Safe 3 and Safe 5 models, was identified by Ledger's open-source research arm, Ledger Donjon, which demonstrated how cryptographic operations could still be performed on the microcontroller of these devices, potentially exposing them to more advanced attacks.

Ledger Donjon, which has a reputation for rigorously testing the security of hardware wallets, acknowledged Trezor’s recent advancements in security but pointed out the potential risks posed by the vulnerability. Charles Guillemet, Ledger’s Chief Technology Officer, confirmed in a March 12 X post that Trezor had since addressed the issue, underscoring the importance of collaboration in improving the overall security of the cryptocurrency ecosystem.

Vulnerability Discovered in Trezor’s Microcontroller

The vulnerability was found in the microcontroller of Trezor's Safe 3 and Safe 5 models, which are part of the company’s two-chip design. While Trezor had already implemented “Secure Elements” in these devices—specialized chips designed to safeguard PIN codes and cryptographic secrets from tampering—Ledger identified that an attacker could potentially bypass Trezor’s firmware integrity check, which was meant to prevent modified software from running on the devices.

Ledger demonstrated that despite these security measures, the cryptographic operations could still be performed, exposing users to the risk of sophisticated attacks, particularly if the devices were physically tampered with.

Trezor’s Response and Security Advancements

Following the discovery, Trezor moved swiftly to address the issue. While Trezor did not immediately disclose how the vulnerability was resolved, the company confirmed that the flaw has been patched. Trezor’s response highlighted its commitment to security, acknowledging that, while no system is entirely invulnerable, the company had implemented a multi-layered defense strategy to combat supply chain attacks and other potential threats.

"We believe that making the ecosystem more secure helps everyone, and is critical as we push toward broader adoption of crypto and digital assets," Guillemet commented in his post.

Trezor emphasized that its Secure Elements feature, which helps protect against inexpensive hardware attacks like voltage glitching, remains an effective defense, ensuring that even if a device is lost or stolen, users can have confidence that their funds remain safe.

The Importance of Buying from Official Sources

Trezor also reiterated the importance of buying hardware wallets from official sources to avoid potential tampering, which could lead to compromised security. “In cybersecurity, the golden rule is simple: nothing is fully unbreakable,” Trezor said. “That’s why we have already implemented a multi-layer defense against supply chain attacks and always advise our users to purchase from official sources.”

While Trezor responded quickly to resolve the issue, Ledger has also had its own share of security breaches in the past. In December 2023, a hacker infiltrated Ledger’s connector library, stealing $484,000 worth of cryptocurrency assets. Additionally, in June 2020, a separate breach led to the exposure of the mailing addresses of around 270,000 Ledger customers.

Conclusion

The collaboration between Ledger and Trezor, despite being competitors, highlights the shared commitment to strengthening the security of the cryptocurrency hardware wallet industry. By discovering and resolving vulnerabilities, both companies are working to improve the safety of users' digital assets, a crucial factor as the crypto space continues to expand. As hardware wallet security evolves, the need for ongoing vigilance and updates will remain paramount in safeguarding against the ever-present threat of cyberattacks.