Trezor Crypto Hardware Wallet Comments on Security Issues After Ledger’s Report

After Ledger pushed a report highlighting Trezor’s vulnerabilities, the latter has commented on the mitigation of security risks.

Trezor, the producer of some of the most widely distributed crypto hardware wallets, has explained its approach to recently discovered vulnerabilities, pushed to prominence by competiror company, Ledger. Trezor still warned that no device is ultimately unhackable, and the human factor is always present.

Regarding supply-chain tampering and injections of code words, Trezor once again stated its devices are manufactured under controlled conditions, and users should only buy the original device.

But the most seriously regarded attack was the Side Channel attack vector that managed to quickly read the PIN of the device, by intercepting electricity charges. Trezor claims to have patched this flaw:

“Side-channeling the PIN on Trezor One was indeed impressive and we commend Ledger’s effort. At the same time, we would like to thank Ledger for responsibly disclosing the issue to us. This attack vector was closed by back-porting the way to store data on Trezor Model T to Trezor One,” the team stated.

Trezor, however, expressed puzzlement on why Ledger revealed a deeper vulnerability, affecting all hardware devices. Given laboratory access, the chip itself could be accessed to divulge its information, but Trezor remarked this attack would be extremely rare and expensive.

Patching this vulnerability would mean redesigning all hardware wallets to change some of the internal chip elements with specialized secure elements.

“That being said, we were surprised by Ledger’s announcement of this issue, especially after being explicitly asked not to publicize the issue, due to possible implications for the whole microchip industry, beyond hardware wallets, such as the medical and automotive industries,” the Trezor team explained.

In truth, direct attacks against Trezor devices are resource-intensive and rare. Most digital asset thefts have relied on the human factor or phishing.

Saleem Rashid, one of the few independent researchers, stated that he is also worried about the internal chip element potential exploits. In a recent Twitter thread, Rashid commented on the security flaws of Trezor:

Ledger, the competitor of Trezor and discoverer of the flaws, is also constantly taking measures to improve the device security and find the best security elements to achieve its goals.

Reading now