single-image

Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets

Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11.

As of press time, Trezor was not immediately available to comment on Ledger’s findings.

The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended.

The first issue is related to the genuineness of the devices. According to the Ledger team, the Trezor device can be imitated by backdooring the device with malware and then re-sealing it in its box by faking a tamper-proof sticker, which is reportedly easy to remove. Ledger states that this vulnerability can only be tackled by overhauling the design of the Trezor wallets and, in particular, by replacing one of the core components with a Secure Element chip.

Secondly, Ledger hackers reportedly guessed the value of the PIN on a Trezor wallet using a side-channel attack and reported it to Trezor in late November 2018. The company later solved the issue in its firmware update 1.8.0.

The third and fourth vulnerabilities, which Ledger also offers to solve by replacing the core component with a Secure Element chip, consist of the possibility of stealing confidential data from the device. Ledger states that an attacker with physical access to Trezor One and Trezor T can extract all the data from the flash memory and gain control over the assets stored on the device.

The last weakness discovered is also related to Trezor’s security model: according to Ledger, the crypto library of the Trezor One does not contain proper countermeasures against hardware attacks. The team claims that a hacker with physical access to the device can extract the secret key via a side-channel attack, although Trezor has claimed that its wallets are resistant to it.

In November 2018, Trezor itself warned that an unknown third party was distributing one-to-one copies of its flagship Trezor One device. The fake wallets seemed to originate from China, and the company thus urged owners to buy wallets only from Trezor’s website.

However, in the recent report, Ledger claims that users cannot be sure even when they purchase hardware from the official Trezor website. The attacker could possibly buy several devices, backdoor them, and then send them back to the manufacturer asking for reimbursement. In case the compromised device is sold again, the user’s crypto funds can be stolen, Ledger concludes.

In November 2018, the research team behind the so-dubbed Wallet.fail hacking project demonstrated how they hacked the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. Both Trezor and Ledger than admitted to the found vulnerabilities — with Trezor noting that a firmware update would address them — but Ledger also added that they were not critical for its wallets.

Leave a Comment

You may also like

Bitcoin

Binance Now Lets Australians Buy Bitcoin With Cash at Over 1,300 Stores

single-image

Cryptocurrency exchange Binance has unveiled a new platform in Australia that allows users to buy bitcoin with cash from high-street stores.

Announcing the news on Tuesday, Binance said the new gateway, called Binance Lite Australia, is cash-to-bitcoin brokerage service accessible through a network of 1,300-plus supported newsagents across the country.

The platform currently offers the option to buy only bitcoin using Australian dollars (AUD), but the exchange said it plans to support more cryptocurrencies and fiat options in the future.

Once users have carried out an account verification processes, they can place an order to buy bitcoin online, deposit cash at the nearest newsagent and receive crypto “within minutes,” according to the announcement.

Binance Lite Australia charges a 5 percent transaction fee plus goods and services tax (GST) on all bitcoin purchases.

Binance CFO Wei Zhou said that the new platform further expands…

View More Article
Bitcoin

$25 Million in 2 Weeks: BlockFi Booms as Bitcoin, Ether Investors Seek Interest

single-image

The Takeaway

  • BlockFi’s interest-yielding deposit accounts, launched in beta in January and fully live this month, have attracted more than $35 million in crypto. Most of it is being lent to institutional borrowers.
  • BlockFi’s terms of service give the company significant leeway over how it uses depositors’ funds and what interest rate it can pay them. This flexibility is needed for the company to grow fast, CEO Zac Prince says.
  • Institutional investors borrow crypto at individualized terms, at interest rates from 4 to 12 percent, and BlockFi can call in the loans at any time.
  • When crypto prices move dramatically, BlockFi manages risks by making borrowers put up more collateral or selling some of it.
  • BlockFi is planning to roll out new products every six months and raise more capital.

–––––––

BlockFi wasn’t the first lending startup in the cryptocurrency market, but it’s likely the one getting the most attention these days — including some heat from community…

View More Article
Bitcoin Blockchain

Winklevoss Capital Partner Sterling Witzke: Dollar Is Not Designed for the Internet, but Stablecoins Are

single-image

Sterling Witzke has been working at Winklevoss Capital — a venture capital firm set up by the famous Winklevoss twins — for five years now. As a professional investor, she is very interested in financing early stage crypto and blockchain projects. She believes that stablecoins are perfectly designed for the needs of internet payments and will steadily gain popularity as the industry evolves.

We talked to Sterling Witzke about the future of fiat-pegged cryptocurrencies, the necessity of proper legal frameworks and the future of the maturing crypto industry.

Clarity is always good for an ecosystem

Ana Berman: How do you think, what will 2019 bring in terms of regulation? The question is related to the ads that Gemini recently launched, which said, in particular, “Crypto needs rules.” Don’t you think it undermines the whole idea of decentralization?

Sterling Witzke: The short answer is no….

View More Article