Ledger: Trezor may have active vulnerabilities
These revelations go straight to the heart of the technical differences between Ledger and Trezor.
- These revelations further the contentious talks around Trezor's lack of a secure element chip.
- The vulnerabilities include resolved side chain attacks, unresolved supply chain attacks and mysterious "surprise attacks".
- The enigmatic surprise attacks may have wider implications for the wider microchip industry.
After discovering and responsibly disclosing them to Trezor several months ago, Ledger has now revealed several alleged vulnerabilities in Trezor's hardware wallets. Some of them have been patched, while others remain active.
The vulnerabilities are largely oriented around Trezor's lack of a secure element, which is also one of the more complicated and important, but less visible, key points of difference between Ledger and Trezor hardware wallets.
In a nutshell:
- Ledger says using a secure element is a good way of providing more security certainty, and that it's widely regarded as the industry best practice for a reason.
- Trezor says the secure element may be an extra point of failure, and that blindly trusting the security of a secure element is unwise.
Trezor maintains that because its devices are not reliant on secure elements they can achieve better than bank-grade security, while Ledger's counter-argument is basically just "no".
You can still find interesting exchanges between Ledger CTO Niccolas Bacca (going by "btchip") and former Trezor CEO Alena Vranova (going by "Cor-Leonis") on Reddit, discussing this exact issue.
That background makes exploring the newly revealed alleged vulnerabilities more interesting, because Ledger is saying many of the still-active vulnerabilities can only be fixed by overhauling the device's design and implementing a secure element.
As an added bonus, Ledger's security team is called Ledger Donjon. In old French, a donjon is a secure keep within a castle's walls – just like a secure element within a hardware wallet.
There were several vulnerabilities discovered. Exactly how many depends on how you want to categorise them.
Side channel attacks
A side channel attack refers to a way of cracking a device through information it gives off on the side, rather than by directly taking advantage of flaws in the cryptography itself.
In this case, the side channel attacks that Ledger discovered involved using an oscilloscope to measure how a Trezor wallet's power fluctuates in different situations, and then using those fluctuations to extrapolate information. A near-identical vulnerability in earlier Trezor wallets was uncovered and fixed in 2015.
In this case, Ledger Donjon managed to guess a Trezor's PIN in fewer than 5 attempts (you have up to 15 incorrect tries before the wallet essentially destroys itself) by reading the wallet's power consumption while entering random PINs, and then using that information to make increasingly better guesses.
This PIN-guessing side channel attack was reported to Trezor on 20 November 2018, and fixed a couple of weeks ago in the 1.8.0 update for Trezor One.
"We truly appreciate the knowledge brought to this conversation by everyone who worked with us," Trezor said at the time. "Communication with all involved parties was very professional and focused on a common goal: improving the overall security of the solutions we provide to our users."
The second unfixed vulnerability was that someone could use the same method to uncover private keys during a transaction. The reason it's unfixed is because it's harmless, as it can only be done by someone who has the device's PIN and can already access the funds in the first place.
Ledger only mentions it because "it was... claimed to be secure against side channel attacks, which unfortunately proved incorrect".
"Side-channeling the PIN on Trezor One was indeed impressive and we commend Ledger's effort. At the same time, we would like to thank Ledger for responsibly disclosing the issue to us," Trezor said in its response.
Supply chain attacks
Ledger also demonstrated a couple of supply chain attacks. One involved manufacturing an exact Trezor replica which could theoretically be loaded with backdoors or other nasties sold to an unsuspecting customer.
The other involved successfully opening, tampering with and then re-sealing a Trezor wallet, including peeling off and replacing the tamper-proof sticker without leaving a trace.
Incidentally, supply chain attacks are why you should never use a second-hand hardware wallet, and should never buy one from eBay, Amazon or anyone except the manufacturer itself and authorised resellers.
Trezor maintains that these vulnerabilities are common to all hardware devices of any kind, and that there's really not much to be done except to remind people to only purchase from Trezor directly.
Ledger disagrees, and notes that a practical attack could involve buying Trezor wallets, tampering with them and then returning them for a refund, and hoping they're later sold to another unsuspecting customer. It also recommends a secure element chip to help mitigate the risks.
"In our view, this vulnerability can only be patched by overhauling the design of the Trezor One, and replacing one of its core components to incorporate a Secure Element chip, as opposed to the general purpose chip currently used. To our knowledge, this vulnerability is still active as of this publication," Ledger says.
There are also some alleged vulnerabilities which have yet to be resolved or publicised in detail, although Trezor says it goes beyond hardware wallets alone, and that Ledger is currently in talks with the chip manufacturer (STMicroelectrics) around the issue.
It also expressed some surprise that Ledger mentioned the vulnerability, given that it specifically asked Trezor to keep it under wraps. Appropriately enough, the actual announcement of the vulnerability could be seen as something of a surprise attack.
"We were surprised by Ledger's announcement of this issue, especially after being explicitly asked by Ledger not to publicize the issue, due to possible implications for the whole microchip industry, beyond hardware wallets, such as the medical and automotive industries," Trezor said.
Not much is known about the attack, but from what Ledger and Trezor have jointly revealed we know it's complicated.
"In our view, this vulnerability can not be patched, it can only be circumvented by overhauling the design of the Trezor One / Trezor T, and replacing one of its core components to incorporate a Secure Element chip, as opposed to the general purpose chip currently used," Ledger said. "This vulnerability can not be patched – for this reason, we have elected not to disclose its technical details. It could also be mitigated by users adding a strong passphrase to their device."
"This attack vector is also resource-intensive, requiring laboratory-level equipment for manipulations of the microchip as well as deep expertise in the subject," Trezor said. "Passphrases will completely mitigate this attack vector," it added.
Are your funds still safe if you use a Trezor? Almost certainly, unless you're being targeted by a well-funded ring of thieves consisting of the world's foremost experts on hardware security. And even if you are, you can still set up multiple passphrases to help mitigate the risks.
However, it's worth noting that no such issues have been found in Ledger to date and that in all cases it recommends a secure element as the solution. And with secure elements standing as the chief technical point of difference between Ledger and Trezor, these revelations may have significant implications for the space as a whole.
And hey, the latest Ledgers are still cheaper. There's no accounting for taste though.
Disclosure: The author holds ETH and XLM at the time of writing.