Trezor, the leading hardware wallet provider, has patched a security issue in their Safe 3 and Safe 5 wallets after researchers from Ledger Donjon, the security team of rival company Ledger, found a bug.
The issue was in the microcontrollers and potentially allowed attacks to compromise security. But Trezor says users’ funds are safe and no action is required.
The security flaw was discovered by Ledger Donjon, an open-source research team focused on hardware wallet security.
According to their findings, Trezor had implemented Secure Elements (SE) to protect user’s PIN codes and cryptographic secrets, but cryptographic operations could still be performed on the microcontroller.
This means an attacker with high skills could manipulate the firmware and the microcontroller and compromise Trezor wallets, including Safe 3 and Safe 5.
One of the risks highlighted by Ledger was the voltage glitching attack. This is described as a “quick attack with a cheap setup”, where an attacker manipulates the power supply to the microcontroller to bypass security and change crucial settings.
Ledger’s CTO, Charles Guillemet, explained, “We believe that making the ecosystem more secure helps everyone and is critical as we push towards broader adoption of crypto and digital assets.”
After Ledger’s report, Trezor acknowledged the issue and worked on a fix. They confirmed the bug was there but was patched and no action is required. Trezor also said some parts of the bug could not be fixed with just a firmware update.
They also emphasized the importance of multi-layered security to prevent supply chain attacks and advised customers to only buy wallets from official sources to minimize risks.
According to the researchers, this can be classified as a “supply chain attack”. This means that if the device is intercepted by a bad actor before reaching the user, there is a chance the device can be manipulated.
Reports say that in this case, tampering with the device could cause it to generate seed phrases with a much lower entropy, and use repeated nonces for transactions. This poses a significant risk to users.
This vulnerability and patch is a reminder that securing hardware wallets is an ongoing challenge. While Secure Elements help a lot, vulnerabilities in other components like microcontrollers mean users must be always on their toes.
Trezor and Ledger have had their share of issues in the past. In December 2023 Ledger got attacked on its connector library and lost $484,000 of digital assets. In 2020 a major breach exposed 270,000 Ledger customers’ personally identifiable information.
Despite being competitors, Ledger’s discovery and Trezor’s fix show they are on the same page when it comes to security.
While hardware wallets are one of the safest ways to store your bitcoin, experts always urge users to follow best practices, including:
- Buy from official sources: Only buy from the manufacturer or authorized resellers to avoid ending up with a tampered device.
- Use strong PINs: Don’t use simple or predictable PINs.
- Use a passphrase: Adding a passphrase provides an extra layer of security so even if an attacker finds the seed phrase, they can’t access the funds.
- Keep your device physically secure: Make sure your wallet is physically locked and out of sight when you’re not around.
- Stay informed: Check for firmware updates and security advisories from your hardware wallet provider.
The recent Safe 3 and Safe 5 patches are reminders that even the most secure storage is not set up and forget.
