Crypto hardware wallet maker Trezor has replied to claims about vulnerabilities in its products made by fellow major competitor Ledger. Earlier on March 11, Ledger had taken to its blog to detail five key vulnerabilities it claims to have found in two of Trezor’s hardware wallet models – Trezor One and Trezor Model T.
The first issue Ledger took with was that Trezor’s products did not seem very “genuine”, and could be easily cloned. The packaging for its wallets could also seem to be easily tampered with, and without any obvious physical signs that could alert a user that malware, for example, could have been implanted in the device.
Ledger’s second point was that it could deduce Trezor’s wallet PIN code from a side-channel attack. Its third point was that a similar attack could also be used to lift the private key from the wallet because of a weakness in the wallet’s scalar multiplication factor.
Its other two points are related to physical access of Trezor wallets. Ledger claimed that anyone who could physically take apart the device could also just as easily extract all the data from its flash memory.
In response to Ledger, Trezor clarified the following day that the particular vulnerabilities Ledger had named are not critical for hardware wallets. It maintained its wallets cannot be remotely hacked, and not just physical access is needed to exploit its wallets as Ledger claims, but also dedicated equipment and technical knowledge.
Moreover, Trezor highlighted a security survey it conducted recently with Binance, which showed that only a tiny minority (about 6%) of respondents felt a physical attack was the biggest threat to their crypto assets. Being able to crack open one of its wallets is also very unlikely, Trezor argued, because the particular equipment needed is very difficult to secure.
In short, of the five weaknesses alleged by Leger, Trezor defended itself saying that four of them have been fixed, are not exploitable, or will require a PIN. It also said it scrutinizes its manufacturing process.
Trezor concluded that no wallet product out there can be completely safe. It said, “No hardware is unhackable, and depending on what your security model is, there are tools which you can use to mitigate threats. For users who are wary of physical attacks, passphrases for plausible deniability and operational security are the way to go. For users who are concerned about remote attacks, nothing changes.”