Hardware wallets maker Ledger has published the discovered vulnerabilities in Trezor devices, its main competitor.
Vulnerabilities were discovered in Attack Lab, a department of the company that hacks both its own devices and those of its competitors to increase security. Ledger claims that he repeatedly reported Trezor about the weak points in their Trezor One and Trezor T purses. Now the company decided to make them public after the nonproliferation agreement period expired.
The first problem is related to the originality of the devices. According to the Ledger team, you can fake a Trezor device by hacking it with malware, and then reseal it in a box, forging an unauthorized access sticker that is easy to remove.
Ledger claims that this vulnerability can be eliminated only by redesigning the Trezor wallets and, in particular, by replacing one of the main components with the Secure chip.
Ledger hackers were able to reveal the PIN on Trezor wallets using a side channel attack and reported it to Trezor in late November 2018. Later, the company fixed this vulnerability in its update 1.8.0.
The third and fourth vulnerabilities, which Ledger also proposes to eliminate, replacing the main component with the Secure Element chip, are the possibility of stealing confidential data from the device. Ledger claims that an attacker with physical access to Trezor One and Trezor T can extract all data from flash memory and gain control over the assets stored on the device.
The last discovered vulnerability is also related to the Trezor security model: according to Ledger, the Trezor One cryptographic library does not contain adequate countermeasures against hardware attacks. The team claims that a hacker with physical access to the device can extract the private key through a side-channel attack, although Trezor emphasizes that his wallets are resistant to this.
In 2018, Trezor warned that an unknown third party was distributing individual copies of the Trezor One flagship device and urged owners to buy wallets only from the Trezor website.
However, in a recent report, Ledger claims that users cannot be sure of the authenticity of the equipment, even if they buy it on the Trezor official website. An attacker can buy multiple devices, hack them, and then send them back to the manufacturer for compensation. Ledger concludes that in the event of a resale of such a device, it will remain under the control of the attacker.
In November 2018, the research team behind the so-called hacker project Wallet.fail at the 35C3 Refreshing Memories conference demonstrated how they hacked Trezor One, Ledger Nano S and Ledger Blue. Both manufacturers of hardware devices admitted to the detected vulnerabilities - while Trezor responded that updating the firmware would eliminate them, and Ledger said that they are not critical to his wallets.