Hardware wallet Ledger helps competitor Trezor resolve security vulnerability

Trezor, a prominent hardware wallet provider, has taken decisive action to patch a recently identified security flaw in its Safe 3 and Safe 5 models. This vulnerability was uncovered by Ledger Donjon, the open-source research division of competitor Ledger. Despite acknowledging Trezor’s ongoing security enhancements, Ledger’s findings indicated that the cryptographic operations on Trezor’s microcontrollers could create pathways for advanced types of attacks.

In a post on X, Ledger’s chief technology officer, Charles Guillemet, praised Trezor for its efforts but emphasized the need for constant vigilance in ensuring cryptocurrency ecosystem security. “We believe that making the ecosystem more secure helps everyone, and is critical as we push towards broader adoption of crypto and digital assets,” he stated, highlighting the collective responsibility of companies in the space to foster a secure environment.

To counter potential threats, Trezor had previously adopted “Secure Elements,” specialized chips aimed at safeguarding user PIN codes and cryptographic secrets. However, with some models susceptible to tampering through software modifications, the Secure Element feature was a crucial safeguard against threats such as voltage glitching. Ledger noted that this implementation provided users with confidence in the safety of their funds, even in the event of device misplacement or theft.

Despite these security measures, Ledger identified an additional vulnerability tied to Trezor’s two-chip design utilized in the Safe 3 and 5 models. Although Trezor had introduced a firmware integrity check to identify modified software, Ledger demonstrated that an attacker could potentially bypass this safeguard. This has since been addressed by Trezor, although specifics on the resolution have not been disclosed, with Cointelegraph noting that their request for comment went unanswered.

Trezor assured users via an X post that their funds were safe, affirming no immediate action from users was required. However, when probed about whether the patch was implemented through firmware updates, Trezor acknowledged that it could not offer a straightforward resolution, reiterating a fundamental cybersecurity principle: nothing is entirely unbreakable. They elaborated on their multi-layer defensive strategy against supply chain attacks, urging users to purchase devices only from official sources to thwart potential threats.

Meanwhile, Ledger also grapples with its own security challenges. In December 2023, a significant breach led to the theft of $484,000 worth of cryptocurrency assets due to a vulnerability in Ledger’s connector library. Compounding these challenges, a 2020 breach saw the personal information of approximately 270,000 Ledger customers exposed.

As both Trezor and Ledger navigate the intricate landscape of hardware wallet security, the need for rigorous, ongoing enhancements in response to emerging threats remains paramount. These incidents underscore the importance of user vigilance and the necessity for hardware wallet providers to maintain robust security protocols to safeguard digital assets effectively.

Laura Bennett

Laura Bennett is a digital marketing strategist and writer with a keen eye for online trends and audience engagement. With over seven years of experience, she specializes in data-driven content and digital growth strategies. Based in Virginia Beach, VA, Laura covers the latest in marketing, business, and online branding.