The manufacturer of cryptocurrency hardware wallets Ledger discovered vulnerabilities in the devices of its competitor Trezor. This company reported on Twitter.
Vulnerabilities detected by Attack Lab. Attack Lab is a division that enhances security. They are looking for the possibility of hacking wallets. These are both personal wallets and devices of competitors. Representatives of Ledger claim that they have repeatedly addressed Trezor regarding weaknesses in Trezor One and Trezor T. Therefore, after the end of the disclosure period, they decided to make them public.
List of problems
The first problem is related to
Secondly, Ledger hackers were able to pick up a PIN code on a Trezor wallet using an attack on a third-party channel. Later, the company solved this problem in its firmware update 1.8.0.
The third and fourth vulnerabilities, which Ledger also proposes to eliminate, replacing the main component with the Secure Element chip. They consist in the possibility of theft of confidential data from the device. Ledger claims that an attacker with physical access to Trezor One and Trezor T can extract all data from flash memory. Therefore, it may gain control over the assets stored on the devices.
Trezor’s latest weakness: as stated by Ledger, the Trezor One cryptographic library does not contain adequate countermeasures against hardware attacks. It is alleged that a hacker with physical access to the device can extract the secret key through an attack on a third-party channel. But Trezor claimed that his wallets were resistant to such an attack.
It is noteworthy that in November 2018 Trezor representatives themselves warned that an unknown third party was distributing individual copies of their flagship device, Trezor One. And urged users to buy wallets only through its official website.
An attacker can buy multiple devices, hack them, and then send them back.
However, in its report, Ledger claims that users cannot be sure, even if they buy equipment on the Trezor website. An attacker can buy multiple devices, hack them, and then send them back to the manufacturer for compensation. Ledger researchers say that in the event of a re-sale of a compromised device, cryptocurrency can be stolen.