The crypto security experts led by Ledger have listed a number of security holes in hardware wallets of the competing provider Trezor. Trezor has already responded by providing a number of updates for improvements.
Controlling your own private keys in the Bitcoin cosmos is a tricky business. Thus, ownership of crypto-assets can be determined by the digital signature using private key properly. However, the control of private keys always involves a certain risk of loss. Numbers, after which over four million BTC have already passed into the eternal hunting grounds, confirm this. Public Key Cryptography is a secure and merciless encryption method.
Anyone who dares to take over the responsibility of their own crypto-fortune, it is advised not to dare to deal with the choice of a suitable wallet. In general, hardware wallets like Trezor’s or Ledger’s are a reliable solution. The handling is simple and the level of security sufficient.
However, even hardware wallets are not immune from security vulnerabilities. Ledger released a slew of them yesterday, March 11, with vulnerabilities in Trezor’s competing products.
Now one could say that one wants to harm the competition by animating the exploitation of just those attack vectors only for the use of hackers by scattering information. Ledger claims the opposite: The security experts of the French wallet manufacturer have given Trezor a kind of grace period in advance, during which the colleagues can remedy the flaws in the competing product. So you ensure more security for all involved.
Problem 1: The seal
As Ledger demonstrates, the safety seal can be easily removed using a scalpel. The seal should actually prevent third parties from opening the device to make subsequent changes to it. But it does not, as Ledger shows.
Hackers could get a device, make changes to the software, and return the Trezor to the dealer within the warranty period. Then, malware-equipped wallets would be shared with third parties whose crypto-funds, one suspects, are threatened.
Problem 2: The PIN code
What sounds a bit like science fiction seems to be a real attack vector at Trezor. Apparently it is possible to guess the PIN of the device by means of a side channel. You just have to present the wallet with a random sequence of digits and then measure the power consumption when comparing it to the actual PIN.
The Ledger team has been able to guess the correct PIN of a Trezor in just five tries.
However, this vulnerability has already been addressed by patch 1.8.0.
Problem 3: Data security
The next vulnerability concerns both the Trezor One and the Trezor T: According to Ledger staff, once third parties can make physical contact with one of these wallets, they can extract all relevant data from the device’s flash memory. So you could also get access to the funds deposited on it.
However, Ledger is silent about the technical details of this attack vector – they do not want to give the Schindluder a boost.
Presentation at the MIT Bitcoin Expo
If you would like to know more about the security infrastructure of the Trezor hardware wallets (presented by Ledger experts), this 30-minute presentation at the Bitcoin exhibition at MIT is a must. Attention: in English.
Despite the issues listed here, hardware wallets are still considered the safest way to store the digital gold.