The developers Ledger and Trezor have commented on the vulnerability information in their hardware wallets

Manufacturers of popular hardware wallets for storing Bitcoin and other cryptocurrencies Ledger and Trezor published official statements, which responded to the information that the researchers of wallet.fail allegedly managed to identify several attack vectors on their devices.

For example, the French company Ledger stated that although the researchers indicated three attack vectors that give the impression that devices have critical vulnerabilities, this is not true.

Yesterday, the https://t.co/qbY5avXAsw team held a meeting on the potential vulnerabilities of hardware wallets. While the attacks are shown

Read more here: https://t.co/jqHnJVzeU9

– Ledger (@LedgerHQ) December 28, 2018

“They were unable to remove the PIN or seed phrase from the stolen device. All critical assets in the security element are protected. There is no reason to worry: your cryptocurrency assets are still safe, ”the Ledger blog says.

Recall that the Wallet.fail team claimed exactly the opposite: according to her statement , the researchers managed to extract the PIN and mnemonic core from Trezor RAM, remotely sign the transaction and crack the Ledger Nano S loader, and intercept the Ledger Blue PIN.

Nevertheless, the Ledger developers called the “impractical” physical modification of the Ledger Nano S wallet followed by the installation of malware on the victim’s computer and the possibility of signing transactions after entering the PIN code.

“A motivated hacker would definitely use more effective techniques, for example, installing a camera to fix a PIN at the time it was entered by the user, ” say Ledger representatives.

The manufacturer also insists that obtaining physical access to the device and installing malware on the victim’s computer is too complicated, which also implies that the hacker has to wait for the user to initiate the transaction. Not excluding that such a scenario is possible in theory, the Ledger team does not see its realization in life.

Researchers at Wallet.fail also stated that they installed their own firmware on a microprocessor. According to Ledger, such a scenario does allow the device to be switched to debug mode, however, the capabilities of the alleged attacker are most likely limited.
“They stated that they had discovered a way to bypass the microprocessor check, but they did not show how the bug was used,” says Ledger.

The French company also commented on the extraction of a PIN code from the Ledger Blue device using a “controlled machine learning” attack.

“This attack is definitely interesting, it does not allow you to extract a PIN code in real conditions. For this scenario, we have already introduced a randomized keyboard, with which the PIN code is entered. Again, it will be easier to install the camera in order to fix the PIN-code at the moment of its input by the user, ”the developers concluded.

Ledger also criticized the Wallet.fail team for deciding to show vulnerabilities in public instead of turning to a bounty bug catching program.

“Responsible disclosure of [vulnerabilities] is the best practice to follow in order to protect users and increase the security of our products,” Ledger said.

Trezor: keep using your devices

Meanwhile, the Prague-based wallet maker Trezor acknowledged the vulnerability, but stressed that in order to use it, the attacker needs to have physical access to the victim's device.

Please keep in mind that this is a physical vuln. Anchorman wouldn’t have to be a board — breaking the case.

If you have any physical control, you can’t keep it.

– Trezor (@Trezor) December 28, 2018

For those concerned with security issues, the company recalls, there is a “passphrase” function, but the loss of this key phrase will lead to loss of funds.

Recall that last summer the company Ledger announced that in 2017 alone it sold more than a million of its multicurrency hardware crypto wallet, earning a total of $ 29 million.