Hardware wallets manufacturer Ledger uncovered the vulnerabilities of its rival Trezor

The largest manufacturers of hardware wallets Ledger , published a report in which it publicly disclosed vulnerabilities in devices of its main competitor Trezor , as reported by Cointelegraph.

The study says that vulnerabilities were discovered by Attack Lab, a division of the company that hacks both its own devices and those of its competitors to increase security.

According to Ledger, they repeatedly turned to Trezor about weaknesses in Trezor One and Trezor T , deciding to make them public after the disclosure period ends.

• The first problem is originality, where you can simulate a Trezor device by hacking it with malware, and then reseal it in a box, forging an unauthorized access sticker that is said to be easily removed. Ledger claims that this vulnerability can be eliminated only by rebuilding the Trezor wallets.
• Secondly, Ledger hackers found a way to get a Trezor wallet PIN using a side-channel attack and reported it to Trezor in late November 2018. Later, the company solved this problem in its firmware update 1.8.0.
• The next vulnerability that Ledger proposes to eliminate by replacing the main component with the Secure Element chip is the possibility of stealing confidential data from the device, claiming that an attacker with physical access to Trezor One and Trezor T can extract all data from flash memory and gain control over assets stored on the device.
• The last weakness found is that Trezor One does not contain adequate countermeasures against hardware attacks. The team claims that a hacker with physical access to the device can extract the private key through a side-channel attack, although Trezor stated that the wallets are resistant to this.

It is known that in November 2018 Trezor itself warned that an unknown third party was distributing copies of its flagship device Trezor One. The fake devices seemed to come from China, and therefore the company called to buy wallets only from the company's website.

In the report, Ledger claims that users cannot be sure, even if they buy equipment on the Trezor official website, because an attacker can buy several devices, hack them, and then send them back to the manufacturer for compensation. Ledger suggests that in the event of a re-sale of a compromised device, the user's cryptocurrency may be stolen.

Publication date 12.03.2019
Share this material on social networks and leave your opinion in the comments below.