The fight of the Bitcoin Wallets goes in round two. After the crypto hardware wallet manufacturer Ledger has uncovered alleged security gaps of the competition, this now announces itself to word. Just like the attack, the setback of Trezor leaves one thing to be desired: professionalism.
especially one thing: to keep Bitcoin, Ethereum, Ripple and consorts safe. Nonetheless, two of the largest providers of the same do not let themselves be discredited.
So began on March 11, the mud battle between Ledger and Trezor. As we reported, Bitcoin wallet maker Ledger complained about some of the competition’s security vulnerabilities. They addressed several issues that should put Trezor in a bad light: the security seal, the pin code and data security. In a blog entry Trezor reports back now. Here the
Answers at a glance:
Supply Chain Attack
Initially, Ledger complained that attackers could easily replace the Trezor security seal. Then they would be able to prepare the device and re-attach the old security seal. Subsequently, it is possible to send the device back to Trezor. As a result, you can mix with Malware-crafted devices under Bitcoin-Hodler. The simple answer of Trezor:
“There is simply no way that hardware can verify itself and verify its integrity.”
However, all Trezor hardware is manufactured in the EU, “where we control the manufacturing process closely.”
Software Crappy Attack
Trezor’s “crappy software attack” approach to getting source code has been fixed with the latest version of the device. The answer from Trezor is therefore scarce:
“Even though you could not exploit these vulnerabilities, we fixed them anyway, and hereby we would like to thank Ledger for verifying that the source code of Trezor is of high quality.”
Side Channel Attack PIN
Also, the possibility to read the PINs mechanically separately, has already been resolved:
“The Side Channel attack on the Trezor One PIN was really impressive, and we have to praise Ledger’s efforts, and at the same time we want to thank Ledger for bringing this issue to our attention, and we also have this attack vector away. “
Side Channel Attack Scalar Multiplication
This attack assumes that the attackers have physical access to users’ PIN, password, and device. Logical conclusion:
“If the attackers have all of this, they can steal any deposits on the device anyway.”
Surprise Concluding Attack
According to Trezor, Ledger has completely sold out here. Because the problem that is described here concerns not only Trezor, but rather the entire microchip industry. As a result, Trezor does not have the ability to provide more specific information, except that it would be a very complex attack:
“[…] this attack vector is resource intensive, requires laboratory equipment to manipulate the microchips, and has deep expertise in the field.”
However, according to Trezor, it is possible to circumvent this attack vector by providing passphrases.
Thus, the hardware wallet manufacturer for Bitcoin, Ethereum, Ripple & Co. also comes to the following conclusion:
“This whole episode is a valuable lesson for us, we need to communicate something we already know: no hardware is unhackable, and depending on what your security levels are, there are tools you can use to mitigate threats.”
Battle of Bitcoin Wallets misses professionalism
Ultimately, the struggle of the Bitcoin Wallets shows one thing above all: that both hardware manufacturers lack a certain degree of professionalism. On the one hand, there is Ledger, who first ignites the fight and begins to publicly discredit the adversary at a conference. On the other hand, a visibly downtrodden Trezor team argues that they’re dealing with “crappy software crappy attacks” and sometimes shoots back as immature as it was attacked.
Conclusion: No Wallet is unhackable, but you can communicate more professionally.