Ledger Helps Hardware Wallet Competitor, Trezor, Fix Security Vulnerability
Rival Companies, Ledger and Trezor Collaborate: Ledger’s Discovery of Trezor’s Microcontroller Flaw Exposes Hardware Wallet’s Fragile Security
Hardware wallet provider Ledger recently helped rival firm Trezor identify and resolve a critical vulnerability in its microcontroller’s security. The flaw, discovered by Ledger’s open-source research team, Donjon, affected Trezor’s Safe 3 and Safe 5 models.
Ledger discovered that sophisticated attacks could exploit certain cryptographic operations still possible on the Trezor Safe 3 and 5 microcontrollers. Both companies confirmed they patched the vulnerability; users need to take no action.
Ledger Uncovers Flaw in Trezor’s Microcontrollers
Ledger Donjon revealed that Trezor’s Safe 3 and 5 models contained a flaw in their microcontrollers, which could allow attackers to bypass firmware integrity checks.
Trezor had already implemented certain security procedures such as using specialized chips called Secure Element to protect users PINs and cryptographic secrets. Despite this Ledger proved that cryptographic operations on the microcontroller itself could still expose the devices to advanced attacks.
Charles Guillemet, Ledger’s Chief Technology Officer, praised Trezor’s recent security advancements in a March 12 X post but pointed out the risks the flaw could pose.
“If a Trezor Safe3 device was stolen, an attacker could theoretically tamper with the device and modify the software running on it, endangering its user’s funds, even if this device uses a Secure Element.” He stated adding that making the ecosystem more sure helps everyone.
Trezor quickly addressed the vulnerability, though neither Trezor nor Ledger disclosed specific technical details about the fix. Trezor confirmed on its official X handle that user funds remain secure and no action is required.
“Your funds remain safe, and you need not take any action. Ledger Donjon reused a previously known attack to bypass some of our countermeasures against supply chain attacks in Trezor Safe 3. Nevertheless, users who purchase from official sources are fully secure,” Trezor reiterated stressing that nothing is fully unbreakable.
Ledger’s Own Security Struggles
Although Ledger played a key role in quickly identifying Trezor’s flaw, the company has also faced its security challenges. In December 2023, a hacker infiltrated Ledger’s connector library, draining $484,000 in crypto assets. Earlier, in June 2020, a breach exposed the mailing addresses of 270,000 Ledger customers.
Nonetheless these incidents point out the harsh truth that no firm is immune to cyber attacks. It is therefore important to balance innovation with a rigid security architecture to protect users from outside threats.
