Ledger, one of the leading manufacturers, has discovered a number of vulnerabilities in devices created by its main competitor. The company says that there are five different security flaws distributed between the and the Trezor Model T. However, Trezor has contested some of the bugs, so it is not clear how serious the issues are.
Ledger’s findings are the result of the company’s recently-formed “Attack Lab,” which works to bug-test the company’s own devices as well as those of its competitors. Ledger says that it gave Trezor about four months to fix the bugs. Now that the responsible disclosure period has ended, Ledger has decided to its findings publicly.
The Bugs In Detail
One of the bugs has already been fixed by Trezor: A now-patched vulnerability could have allowed attackers to measure power consumption in a device in order to guess its PIN and gain access to its wallet. The fix for this bug lessens the impact of another still-unpatched bug, which allows attackers who know a device’s PIN to extract a secret key.
Two more vulnerabilities—or, rather, one bug in two different Trezor models—have also been found. These vulnerabilities could allow attackers to extract data from a device’s flash memory and drain the wallet’s funds. Solving this problem would require an entire design overhaul; however, users can prevent an attack by using a strong passphrase.
The Possibility of Counterfeiting
Finally, one vulnerability involves counterfeiting. Ledger shows that Trezor’s tamper-proof seal can be easily removed and reapplied. This would allow an attacker to open a Trezor device, then replace the hardware or install a backdoor. Ledger says that it was personally able to manufacture a convincing Trezor clone, and other Trezor wallets have emerged in the past.
As such, this line of attack is plausible. However, Trezor suggests that this problem does not exist as long as users buy their hardware wallet from the official Trezor store. Ledger responds that attackers could buy a wallet, install a backdoor, and return it to the company—although it is not apparent that Trezor is reselling previously-owned devices.
Are the Problems Serious?
All of the above attacks (except for counterfeiting) require attackers to have direct physical access to their victim’s wallet. Ironically, Ledger previous concerns about physical access, noting that using a camera to record user input is often more practical than exploiting various types of bugs.
Ledger’s article is not quite a “hit piece” on Trezor, but Ledger obviously has the upper hand when it comes to disclosing its findings. As of March 11, Trezor has not responded publicly to Ledger’s claims. However, Trezor’s latest firmware update one of the bugs, along with a bug and a third vulnerability.
Published at Tue, 12 Mar 2019 18:36:16 +0000
