The Winner of Ledger vs Trezor Catfight Is… You
Two of the biggest hardware wallet manufacturers, Ledger and Trezor, have been in an argument over vulnerabilities that Ledger discovered in Trezor’s devices. The spat ended with Ledger saying they had “granted Trezor time” to fix the discovered issues, and Trezor replying “none of these attacks are exploitable remotely,” effectively telling Ledger to leave them alone. Still, the biggest winner of this would be the end user, who gets to benefit from increased security.
The issue started when Ledger recently revealed that Ledger Donjon, their security team, has an Attack Lab in their Paris headquarters, which they use to hack into both their own and their competitors’ devices to expose vulnerabilities.
One of the devices they reportedly managed to hack into was their Trezor’s hardware wallet – their direct competitor. In a blog post addressing the story, Ledger’s team writes, “About four months ago we contacted Trezor to share five vulnerabilities our Attack Lab uncovered. As always, we gave Trezor a responsible disclosure period to work on these vulnerabilities, even granting them two extensions.” However, the blog post goes on to say that Trezor has not replied and that those two “extension periods” have now expired.
This question was again raised at the MIT Bitcoin Expo event on Sunday, where Ledger repeated the vulnerabilities:
This time, Trezor finally replied.
“While it is true that Ledger has reported and communicated with us throughout the disclosure, some of the facts are represented differently during their presentation, which inadvertently led to an alarmist interpretation of the vulnerabilities. For this reason, we would like to address the claims made, clarify, and respond to them accordingly,” they wrote in an emailed statement to the media.
The official statement, posted on their blog, says that “none of these attacks [brought forward by Ledger are exploitable remotely,” adding that, “all of the demonstrated attack vectors require physical access to the device, specialized equipment, time, and technical expertise.”
“In combination with strong passphrases and at least the basic operational security principles, even the physical attacks presented by Ledger cannot affect Trezor users,” Trezor goes on to add.
Meanwhile, although users agree that Trezor won the fight with their reply, in the end, the true winners are the users themselves. This situation tells both companies to stay on top of their game security-wise, as well as forcing them to be transparent with their userbase. This is all similar to what happened in December at the 35th Chaos Communication Congress in Leipzig: a team called wallet.fail demonstrated a series of attacks against Trezor and Ledger hardware wallets, showing that even hardware wallets can be compromised by criminals who have direct access to their targets. Ledger responded that wallet.fail "did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure."
Back then, Twitter user Felix Weis summarized the issue in a tweet: “Think of a hardware wallet as a single condom for your Bitcoins. Correct usage can protect you from the vast majority of unwanted pregnancies. But it won’t protect you against a mean ex-girlfriend with physical access to your condoms.”