Trezor Elaborates on Cryptocurrency Hardware Wallet Exploits Found by Rival Ledger
As reported by Bitcoin Exchange Guide on March 11, 2019, Ledger, a Paris-based cryptocurrency hardware manufacturer published a report, claiming that there are several vulnerabilities in the hardware wallets of its Prague-based direct competitor, Trezor. However, Trezor has now responded to Ledger’s claims via a Medium blog post on March 12, 2019.
Trezor says All Vulnerabilities Have Since Been Patched
During the recently concluded MIT Bitcoin Expo 2019, highly reputed cryptocurrency hardware maker, Ledger claimed that Trezor’s crypto wallet had five severe vulnerabilities that make it susceptible to attacks (Supply Chain Attack, Software Crappy Attack, Side Channel PIN Attack, Side Channel Attack Scalar Multiplication).
For starters, the Trezor team has made it clear that none of the attacks mentioned by Ledger can be exploited remotely, as the attacker must have physical access to the hardware wallet, specialized equipment, time and technical know-how, in order exploit the vulnerabilities and steal users’ funds.
Citing a recent study it conducted in collaboration with Binance, Trezor claims that out of the 14,471 crypto savvy respondents surveyed in December 2018, only 5.93 percent believe that physical attack is the biggest threat to their digital assets, while 66 percent said that remote attack is a primary threat.
According to Trezor, since the issue of physical threat which nearly 6 percent of the surveyed population say is their biggest danger can be mitigated by using a passphrase, it means that the entire vulnerabilities outlined by Ledger are of lower significance for the majority of hardware wallet users.
100 Percent of Security is Impossible
Specifically, Trezor has said that while their primary objective of hardware crypto wallets remains to protect people’s funds against malware attacks, computer viruses, and a vast array of remote threats, it is however impossible to achieve perfect physical security due to the
“$5 wrench attack.”
For the uninitiated, a “$5 wrench attack” is an extortion strategy whereby a suspected cryptocurrency holder is held against his/her will by criminals, intoxicated with hard drugs or alcohol and tortured mercilessly until the victim gives up his private keys.
“If we consider accidental thefts, there is a very slim chance that someone who finds your hardware wallet by chance will have any equipment needed to crack into these devices,”
Also, Trezor has stated explicitly that its hardware crypto storage devices are all crafted to withstand all forms of remote attacks and if users put enough efforts into creating strong passphrases, then it will be tough for bad actors to steal their funds through a physical attack.
“We designed the Trezor devices with the above-explained threat models in mind. Our main focus is on protecting the user against remote attacks. This being said, in combination with strong passphrases and at least the basic operational security principles, even the physical attacks presented by Ledger cannot affect Trezor users,”
Commenting on the matter, Marek Palatinus, CEO of Satoshi Labs, reiterated that:
“We would like to thank Ledger for practically demonstrating the attack that we have been aware of since creating Trezor. Because we realize no hardware is 100% safe, we introduced the concept of passphrase; that besides plausible deniability eliminates many kinds of physical attacks, like this one.”