Trezor Scrambles to Patch Vulnerability Flagged by Rival Ledger

Trezor has resolved a security flaw in its Safe 3 and Safe 5 hardware wallets following a disclosure by rival Ledger, which uncovered a way to bypass some of Trezor's existing countermeasures against supply chain attacks.

Trezor Responds to Ledger’s Security Findings

Hardware wallet provider Trezor has addressed a vulnerability in its Safe 3 and Safe 5 models after a security review by Ledger’s Donjon team exposed potential weaknesses in the devices’ two-chip architecture. The flaw, described as a “theoretical” threat, could be exploited only through complex physical supply chain attacks, most likely affecting second- or third-hand devices.

The vulnerability came to light after Ledger shared its findings with Trezor, prompting a public disclosure by the latter on March 5. 

Trezor stated on X.com,

"Ledger Donjon recently evaluated our Trezor Safe Family and successfully reused a previously known attack to demonstrate how some countermeasures against supply chain attacks in Trezor Safe 3 can be bypassed." 

Bypassing Supply Chain Protections

According to the March 12 report from Ledger, its Donjon security research team managed to reuse a known physical attack method to demonstrate how cryptographic operations on the microcontroller of Trezor’s Safe 3 and 5 models could still be executed—despite existing safeguards. The microcontroller, which works in tandem with a secure element chip in Trezor’s two-chip design, was identified as a new potential attack vector.

While Trezor had implemented firmware integrity checks to detect tampered software, Ledger demonstrated that these safeguards could be bypassed under specific conditions. This indicated that even with secure element chips designed to block low-cost attacks like voltage glitching, a skilled attacker could potentially compromise the device by targeting the microcontroller.

Trezor Issues Fix and Reassures Users

Following its internal review of Ledger’s findings, Trezor confirmed that it had taken action to mitigate the vulnerability. The company emphasized that the exploit did not pose an immediate risk to users and no action was required on their part. It reiterated that its layered security approach remains effective in defending against supply chain threats.

In a statement on X, Trezor acknowledged the inherent challenges in cybersecurity and noted that while firmware patches had been issued, software updates alone cannot eliminate all risks. The company advised users to only purchase devices directly from authorized retailers to minimize exposure to supply chain tampering.

Industry Collaboration on Security Standards

Ledger’s Chief Technology Officer, Charles Guillemet, praised Trezor’s prompt response, stating, 

“Enhancing the overall security of the ecosystem is essential as we work toward wider adoption of crypto and digital assets.”

Ledger has faced its own security challenges in recent years. In 2023, an exploit in Ledger’s connector library led to a $484,000 loss in crypto funds. A separate breach in 2020 compromised the personal data of over 270,000 customers.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.