Ledger Chief Security Officer Charles Guillemet gave a shocking presentation at the MIT Bitcoin Expo this week in which he presented alleged vulnerabilities with the hardware cryptocurrency wallet produced by Trezor – perhaps its top competitor. Trezor argues in a new blog post that all of the attack vectors mentioned are not exploitable remotely.
Trezor particularly took umbrage to the disclosure of an existing chip vulnerability, saying:
“[W]e were surprised by Ledger’s announcement of this issue, especially after being explicitly asked by Ledger not to publicize the issue, due to possible implications for the whole microchip industry, beyond hardware wallets, such as the medical and automotive industries. Since Ledger is in talks with the chip manufacturer (ST) at the moment, we will also refrain from divulging any critical information, save for the fact that this attack vector is also resource-intensive, requiring laboratory-level equipment for manipulations of the microchip as well as deep expertise in the subject.”
Neither they nor Ledger have disclosed much more about the vulnerability outside of the presentation in the video above. All we know is that it’s related to a chip produced by ST Microelectronics, a French hardware component producer. As SatoshiLabs (the makers of Trezor) point out, the vulnerability goes beyond just crypto wallets. They say that regular security measures mitigate against it, but don’t detract from the seriousness of the problem.
After all, even major cryptocurrency exchanges are known to use hardware wallets for cold storage. Even if it requires “laboratory level” equipment and extreme knowledge, the jackpot is big enough that attacks could take place if people learn how to do them.