Trezor Patches Critical Vulnerability Identified by Ledger

Hardware wallet provider Trezor recently addressed a critical security vulnerability in its Safe 3 and 5 models, thanks to the efforts of its competitor, Ledger. Ledger's open-source research arm, Ledger Donjon, identified a flaw in the microcontrollers of Trezor's devices, which could potentially expose them to more advanced attacks. This discovery prompted Trezor to take immediate action to patch the vulnerability, ensuring the security of its users' funds.

Ledger Donjon acknowledged Trezor's recent security advancements but noted that cryptographic operations could still be performed on the microcontroller, posing a risk. Ledger's chief technology officer, Charles Guillemet, confirmed in a March 12 post that Trezor had successfully resolved the vulnerabilities. Guillemet emphasized the importance of a secure ecosystem for the broader adoption of crypto and digital assets, stating that making the ecosystem more secure benefits everyone.

Trezor had previously implemented "Secure Elements" in its devices to protect users' PIN codes and cryptographic secrets. These elements are designed to thwart inexpensive hardware attacks, such as voltage glitching, ensuring that users' funds remain safe even if the device is misplaced or stolen. However, Ledger found another potential attack vector stemming from the microcontroller, which is a crucial part of Trezor’s two-chip design for its Safe 3 and 5 models.

Trezor had implemented a firmware integrity check to detect modified software, but Ledger demonstrated that an attacker could bypass this security check. Trezor confirmed that user funds remain safe and that no action is required from users. When asked about the patching method, Trezor responded that it was not done via firmware, highlighting the multi-layer defense against supply chain attacks and advising users to purchase from official sources.

This incident underscores the ongoing challenges in cybersecurity, where no system is entirely unbreakable. Both Ledger and Trezor have faced security breaches in the past, with Ledger experiencing a significant hack in December 2023 and another breach in June 2020. These incidents serve as reminders of the constant vigilance required to protect digital assets in an ever-evolving threat landscape. The collaboration between Ledger and Trezor in addressing this vulnerability highlights the importance of industry cooperation in enhancing the security of digital wallets and protecting users' assets.