Trezor Patches Security Flaw Discovered by Ledger

Hardware wallet provider Trezor recently patched a security flaw in two of its latest models, the Safe 3 and Safe 5, after Ledger’s open-source research arm, Ledger Donjon, discovered a vulnerability in their microcontrollers. The flaw allowed for cryptographic operations to be performed on the microcontroller, potentially making the devices vulnerable to more advanced attacks.

Ledger’s chief technology officer, Charles Guillemet, acknowledged Trezor’s recent security advancements but highlighted the need for further improvements. He emphasized the importance of a secure ecosystem for the broader adoption of crypto and digital assets. Trezor had already implemented “Secure Elements” in some of its devices to protect users' PIN codes and cryptographic secrets, effectively thwarting inexpensive hardware attacks such as voltage glitching.

However, Ledger’s research revealed another potential attack vector stemming from the microcontroller, the other main part of Trezor’s two-chip design. Despite Trezor’s implementation of a firmware integrity check to detect modified software, Ledger demonstrated that an attacker could bypass this security measure. This issue has since been resolved by Trezor, although the specifics of the fix remain undisclosed.

Trezor confirmed that user funds remain safe and that no immediate action is required from users. The company also reiterated its commitment to multi-layer defense against supply chain attacks and advised users to purchase from official sources. This incident underscores the ongoing challenges in cybersecurity, where no system is entirely unbreakable.

Ledger itself is not immune to security vulnerabilities. In December 2023, a hacker breached Ledger’s connector library and stole crypto assets worth a significant amount. Additionally, in June 2020, another threat actor published the mailing addresses of around 270,000 Ledger customers. These incidents highlight the need for continuous vigilance and improvement in security measures across the industry.

The collaborative effort between Ledger and Trezor to address this vulnerability sets a positive precedent for future cooperation within the cryptocurrency industry. Both companies are committed to maintaining high security standards and ensuring the safety of users' assets. This event serves as a reminder to users about the importance of regularly updating their hardware wallets and being cautious about potential security threats. As the cryptocurrency landscape continues to evolve, robust security measures become increasingly crucial for protecting digital investments.