Sharing important information is essential for the development of Blockchain tech, even when the rivalry is persistent in the technology sector, and companies usually seek to keep secret their technological developments, sometimes companies break their secretive model allowing for important advancements in the industry. By allowing others to participate in the process of creating new and better products, technology also benefits from it and eventually advances.
It appears this was the intention behind an article published by Ledger, a well-known hardware crypto wallet manufacturer, exposing what it seems to be a security breach or vulnerability in one of their competitors but also seems to be affecting their own products. The analysis carried out by Ledger security team based its investigation on the Trezor One and Trezor T wallets.
The results published by Ledger exposed what it seems to be an issue with Trezor wallets and its authentication process, which apparently could allow for fake hardware pieces to be sold and people wouldn’t be able to note the difference between a real one and a fake.
Our analysis found that the genuineness of a Trezor device can be imitated. We were able to manufacture fake devices which are exact clones of a genuine one (same components, same hardware architecture, same look & feel). We were also able to open the box of a device, backdoor the device and re-seal the box (even with the “tamper-proof sticker” aimed at protecting against such attacks).
Ledger Security Team
Additionally, Ledger was also able to prove that a vulnerability of this kind could lead to obtaining the security pin of Trezor using a Side Channel Attack, while also obtaining personal information of customers. The investigation showed that current devices use a generic identification chip, making it impossible for customers to verify their products and their authenticity. According to the report:
A Side Channel Attack consists of presenting a random PIN and then measuring the power consumption of the device when it compares the presented PIN with the actual value of the PIN. This measurement allows an attacker to retrieve the correct value of the PIN within only a few tries (less than 5 in our case). We found that the PIN does not protect the funds against an attacker with a physical access to the device.
Ledger Security Team
Trezor was quick to reply back to those allegations thanking Ledger for its in-depth report, but also assuring customers that those type of vulnerabilities are not a real danger to customers given that the purpose of cold wallets is to protect digital assets from remote attacks, malware, viruses or hacks. The company continues on claiming that its almost impossible to make a crypto wallet perfect in all ways, with new vulnerabilities being created on a daily basis but they assure customers that their main focus relies on new developments that seek to improve the efficiency of their devices and security measures and are constantly updating their products to ensure they offer the best possible protection to their clients. As for the authenticity issue, Trezor claims all companies are subject of issues like this, which is why it’s extremely difficult to ensure people are not getting a fake product, reason why the main recommendation is to always purchase devices from their site directly.
As for which hardware crypto wallet offers the best product, that’s up to you to decide.