Ledger announces five major flaws in Trezor hardware wallet

In the world of cryptocurrency, deposit security has always been the focus of users. Hardware wallets are seen as a great choice for securing cryptographic assets, with Ledger and Trezor being the best known. In order to ensure the safety of their products, these hardware wallet R & D teams are also unique. Ledger set up a hacking lab to invade the company and other hardware wallet vendors to test its security.

Today, Ledger announced five vulnerabilities in its discovery of Trezor products on the official website. The company said it had discovered these vulnerabilities four months ago and has also informed Trezor in accordance with the vulnerability disclosure rules. After the disclosure period, Ledger disclosed the vulnerabilities it discovered and the repairs.

However, these vulnerabilities announced by Ledger are true, but as long as the attacker does not actually get the user's hardware wallet, it basically has nothing to do. Despite this, the hardware wallet is one of the important entrances to the deposit, and its security is still not to be underestimated.

The following is a complete vulnerability details published by Ledger:

Safety is a top priority for Ledger – rooted in every product we sell and every decision we make. Every day, we are challenging ourselves to create better and safer technologies and products.

Our first priority is to provide customers with the most advanced security through Ledger's hardware wallet, IoT and institutional investment products. However, as the global leader in blockchain security solutions, we believe that the promise of security should not be limited to ourselves. With the world's most innovative technology and unparalleled team, we have a responsibility to improve the safety of the entire blockchain ecosystem wherever possible. A shared commitment to security not only better protects the assets of individuals and institutions, but also helps build the much-needed trust in the entire encryption arena.

As we said in the previous article:

We are responsible for improving the safety of the entire blockchain ecosystem wherever possible.

Ledger's world-class security team, Ledger Donjon, has an Attack Lab at our Paris headquarters where we invade ourselves and competitors' equipment and disclose security holes.
Given the security of the entire community, we also shared the tools and best practices we deployed, such as our side channel analysis library, Lascar, and the simulation tool Rainbow.

We've been trying to invade our devices to ensure we maintain the highest standards of security and to take advantage of new approaches in the face of increasingly sophisticated attackers. We apply the same approach to our competitors' equipment because we have a shared responsibility to ensure a high level of safety throughout the industry.

When studying the safety of competing products, we always follow the responsible disclosure principles, inform the affected parties of any vulnerabilities discovered by our labs, and give them time to find solutions. It is important to follow the disclosure agreement before disclosing any information so that the hacker does not exploit the vulnerability until the problem is resolved.

It is worth noting that about four months ago, we contacted Trezor and shared five vulnerabilities discovered in our lab. As usual, we gave Trezor some time to deal with these vulnerabilities and even gave them two chances to postpone.

This analysis includes Trezor's two hardware wallets (Trezor One and Trezor T), and Trezor One is the focus. This also applies to the counterfeit of the Trezor wallet. We disclosed these vulnerabilities to our suppliers and allowed them to take appropriate steps to protect users. Now that the disclosure period (including two extensions) is over, we hope to share the details with you in a spirit of full understanding and transparency.

Trezor Security Analysis

Vulnerability 1: Device Authenticity (Genuineness)

(Figure 1: Removing a secure seal from Trezor with a heated scalpel)

Overview
The authenticity of the device is an important attribute to ensure its reliability.

analysis

Our analysis found that Trezor equipment can be forged. We are able to forge devices that are completely replicas of the original (same accessories, identical hardware architecture, same look and feel). We can also disassemble the equipment, set the back door, and re-seal it (even if there is a "tamper-proof label").

In this case, the attacker can completely control the code of the counterfeit device. For example, an attacker can do:

1. Add a key to the device in advance

2. Add a backdoor to the device, install malware, and send the encrypted asset to another address

3. Install a password vulnerability to get encrypted assets
4. Add a backdoor and install malware to extract the key

(Figure 2: Trezor with a pre-added key - exactly the same as the original)

Even if the user purchases the device directly from Trezor's official website, it is not sure whether it is genuine. An attacker can purchase multiple devices, add backdoors, and send them back for a refund.

The result: The vulnerability has been reported to Trezor, which Trezor said is not their security model, and points out that if users buy their products directly from the Trezor website (as suggested by Trezor), there is no such problem. We believe that this vulnerability can only be fixed by modifying Trezor One's design and replacing one of the core components with a secure component chip instead of the one currently used. To the best of our knowledge, this vulnerability still exists at the time of this article.


Vulnerability 2: PIN (Personal Identification Number) Protection

(Figure 3: guess PIN code)

Overview

The PIN code is used to access the device to access funds protected by the device. The current device gives the user 15 attempts, and the waiting time grows exponentially. This feature should be tamper proof.

Analysis

According to our security analysis, on target or stolen devices, it is possible to use the Side Channel Attack to guess the value of the PIN. This attack mode gives a random PIN code that tests the energy consumption of the device during the comparison with the actual value of the PIN code. During the test, the attacker only needs a few attempts (not more than 5 times by our test) to get the correct PIN code. We found that once an attacker gains access to the device, the PIN code does not protect the funds.

Result: Trezor was reported on 2018-11-20. This vulnerability has been fixed in Trezor in firmware update 1.8.0.

Vulnerabilities 3 & 4: Device internal data confidentiality (for Trezor One and Trezor T)

Overview

The confidentiality of the internal data of the device is crucial because it contains all the private information that can access the user's funds: private key, seed. The hardware wallet must act as a secure territory for such data.

Analysis

According to the analysis, an attacker who takes the device can extract all the data stored in the flash (so it will exhaust the assets of all accounts). Our attacks also apply to Trezor One and Trezor T.

Result: It has been reported to Trezor. We believe that this vulnerability cannot be fixed unless the Trezor One or Trezor T design is modified and one of the core components is replaced with a secure component chip instead of the one currently used. This vulnerability cannot be fixed - so we chose not to disclose its technical details. Users can also alleviate this by adding a higher-security password to the device.

Vulnerability 5: Password Stack Analysis

Overview

We analyzed the encrypted code base of Trezor One. Although we found that this library does not contain appropriate countermeasures for hardware attacks other than the Scalar Multiplication function (which may cause concern), we mainly focus on the scalar multiplication mentioned earlier. This function is the primary cryptographic operation of the cryptocurrency because it is used for most of the key operations involving the secret key. This function can be used to prevent side channel attacks, which are what we want to evaluate.

Analysis

According to the analysis, an attacker who obtains the device can extract the secret key through a side channel attack, provided that the key uses a scalar multiplication function. Scalar multiplication is one of the core functions of cryptocurrency cryptography. This is especially important for transaction signatures. Using a digital oscilloscope and some measurement data, we proved that it is feasible to use the side channel analysis to extract the transaction key.

Result: This vulnerability was reported to Trezor. This vulnerability can be fixed, but it does not directly affect Trezor's security model, because if you don't know the device's PIN beforehand, you won't be able to trigger this action. However, the other party claimed that it was safe to defend against side channel attacks, and unfortunately, the truth is quite the opposite.