Please Add Widget from here
Ledger and Trezor Hardware Wallets Answer Security Concerns
Bitcoin, Technology

Ledger and Trezor Hardware Wallets Answer Security Concerns

Three research engineers, Dmitry Nedospasov, Thomas Roth, and Josh Datko, have made the website wallet.fail and published their presentation claiming security issues with Ledger and Trezor devices to the Chaos Communication Congress online after the event.

The two leading hardware wallet makers Trezor and Ledger have responded saying their cryptocurrency wallets are safe.

Ledger has responded a detailed blog post saying that although it is happy to see people challenging its security that:

They presented 3 attack paths which could give the impression that critical vulnerabilities were uncovered on Ledger devices. This is not the case. In particular they did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure.

Even though the researchers said they all “love cryptocurrency” and own crypto themselves Ledger expressed concern with their methods:

In the security world, the usual way to proceed is responsible disclosure… We regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.

Ledger also believes the three researchers did not provide “practical vulnerabilities.”

Firstly, the researchers performed an attack that modified the physical wallet and used malware on the cryptocurrency owner’s PC in combination with a potential attacker in a nearby room needing to remotely enter the hacked PIN and launch the cryptocurrency application. Ledger says of this type of attack:

This scenario requires:

  • Physical access to the device to modify it
  • Installing a malware on the victim’s computer
  • Physically waiting in a side room with an antenna for the victim to enter his PIN and launch the Bitcoin app.

It would prove quite unpractical, and a motivated hacker would definitely use more efficient tricks.

Ledger went on to write:

They tried to perform a supply chain attack by bypassing the MCU check, but they did not succeed. The MCU manages the screen but doesn’t have any access to the PIN nor the seed, which are stored on the Secure Element.

Ledger does acknowledge there is a bug in its firmware update function which allowed the researchers to add software. Ledger says this bug has been solved in the device’s next firmware version and that the bug doesn’t allow anything other than a JTAG debug interface. The researchers were unable to access cryptocurrency funds.

Regarding the Ledger Blue wallet, the researchers measured radio emanations when a PIN was entered, this tactic could lead to an attacker calculating a user’s PIN. Ledger says the potential attack is “interesting” but in real conditions would mean a device has to remain in the same position as when a “dictionary” of emanations was recorded so is again, unlikely.

Ledger says they had already been considering such an attack responding with:

We already implemented a randomized keyboard for the PIN on the Ledger Nano S, and the same improvement is scheduled in the next Ledger Blue Firmware update.

They finished by writing that:

Ledger values all attempts to compromise our hardware wallets. We strongly believe that our Bounty program is the way towards continuous security improvements. We are, however, also convinced that responsible disclosure is the best practice to follow in order to protect the end users while improving our products’ security.

Trezor Respond

Trezor responded on twitter that it is “working with the info as it arrives”.

What it has acknowledged is that a vulnerability exists, but it is a physical vulnerability:

It appears that the researchers have identified some potential weaknesses, although it is very unlikely they can be exploited. Ledger and Trezor seem to be ahead of identifying vulnerabilities and and are showing best practice when responding to security concerns, even if the researchers and engineers don’t use the wallet’s own bug bounty programs.

Comments are off this post!