{"id":22011,"date":"2025-03-13T10:54:03","date_gmt":"2025-03-13T08:54:03","guid":{"rendered":"https:\/\/forklog.com\/en\/ledger-identifies-vulnerability-in-trezor-wallets\/"},"modified":"2025-03-13T10:54:03","modified_gmt":"2025-03-13T08:54:03","slug":"ledger-identifies-vulnerability-in-trezor-wallets","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ledger-identifies-vulnerability-in-trezor-wallets\/","title":{"rendered":"Ledger Identifies Vulnerability in Trezor Wallets"},"content":{"rendered":"<p>The hardware cryptocurrency wallet manufacturer Trezor has addressed a vulnerability in its Safe 3 and <a href=\"https:\/\/forklog.com\/en\/news\/trezor-unveils-new-hardware-wallet-safe-5\">Safe 5<\/a> models. The issue was identified by the research team of its competitor, Ledger, as reported by the company&#8217;s <span data-descr=\"Chief Financial Officer\" class=\"old_tooltip\">CFO<\/span>, Charles Guillemet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">At <a href=\"https:\/\/twitter.com\/Ledger?ref_src=twsrc%5Etfw\">@Ledger<\/a>, you might know that we have the <a href=\"https:\/\/twitter.com\/DonjonLedger?ref_src=twsrc%5Etfw\">@DonjonLedger<\/a>, our dedicated team constantly conducting open security research. <\/p>\n<p>We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here&#8217;s a thread on our findings:? <a href=\"https:\/\/t.co\/CORDOQWRYg\">pic.twitter.com\/CORDOQWRYg<\/a><\/p>\n<p>\u2014 Charles Guillemet (@P3b7_) <a href=\"https:\/\/twitter.com\/P3b7_\/status\/1899863743036874795?ref_src=twsrc%5Etfw\">March 12, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">March 14, 2025 | 11:20<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>A Trezor representative clarified to ForkLog that the vulnerability affected only the Safe 3. According to them, the Safe 5 uses a different chip with a higher security level.<\/p>\n<p>Trezor noted that Ledger Donjon researchers were unable to extract private keys or PIN codes from the tested device. According to the representative, users&#8217; funds remain protected if the wallet is purchased through official channels.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cAs for future devices, we are constantly improving our products, and enhanced security measures, including the more robust chip used in the Safe 5, will be integrated into new models,\u201d the manufacturer emphasized.<\/em><\/p>\n<\/blockquote>\n<\/div>\n<p>The issue concerned the wallet microcontroller, which allowed for cryptographic operations. This could have made the Safe 3 and Safe 5 \u201cvulnerable to more sophisticated attacks,\u201d noted Guillemet.<\/p>\n<p>Trezor has already implemented Secure Elements chips designed to protect the user&#8217;s PIN and cryptographic data. Ledger noted that the feature \u201ceffectively prevents any low-cost hardware attacks, particularly voltage glitches.\u201d<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201c[This] gives users confidence that their funds are safe, even if their device is lost or stolen,\u201d the research team emphasized.<\/em><\/p>\n<\/blockquote>\n<p>However, Ledger discovered another potential attack vector related to the microcontroller of another main part of the dual-chip design for the Safe 3 and 5 models.<\/p>\n<p>Although Trezor has a firmware integrity check, Ledger engineers managed to bypass this protection. The manufacturer later fixed the vulnerability.<\/p>\n<p>Company representatives assured that users&#8217; funds remained safe, and no action is required from clients.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Hi, your funds remain safe, and you need not take any action. Ledger Donjon reused a previously known attack to bypass some of our countermeasures against supply chain attacks in Trezor Safe 3. Nevertheless, users who purchase from official sources are fully secure?<\/p>\n<p>\u2014 Trezor (@Trezor) <a href=\"https:\/\/twitter.com\/Trezor\/status\/1899891032172437800?ref_src=twsrc%5Etfw\">March 12, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>However, when asked if Trezor managed to fix the issue with firmware, the hardware wallet provider responded negatively.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Hi, unfortunately not. In cybersecurity, the golden rule is simple: nothing is fully unbreakable. That\u2019s why we have already implemented a multi-layer defense against supply chain attacks and always advise our users to purchase from official sources.<\/p>\n<p>\u2014 Trezor (@Trezor) <a href=\"https:\/\/twitter.com\/Trezor\/status\/1899886020642169185?ref_src=twsrc%5Etfw\">March 12, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cIn cybersecurity, the golden rule is simple: nothing can be completely invulnerable,\u201d the company commented.<\/em><\/p>\n<\/blockquote>\n<p>The Trezor team reported the implementation of multi-layered protection against supply chain attacks and advised users to purchase devices only from official distributors.<\/p>\n<p>Back in January 2024, the company&#8217;s developers <a href=\"https:\/\/forklog.com\/en\/news\/data-breach-affects-66000-trezor-users\">reported<\/a> a security incident with a third-party support provider, which led to a data leak of approximately 66,000 clients.<\/p>\n<p>In December 2024, attackers posing as Ledger support <a href=\"https:\/\/forklog.com\/en\/news\/ledger-users-targeted-by-phishing-emails-over-fake-data-breach\">sent<\/a> out fake notifications about a service breach, prompting users to disclose seed phrases.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The hardware cryptocurrency wallet manufacturer Trezor has addressed a vulnerability in its Safe 3 and Safe 5 models. The issue was identified by the research team of its competitor, Ledger, as reported by the company&#8217;s CFO, Charles Guillemet. At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":22010,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1640,115],"class_list":["post-22011","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-ledger","tag-trezor"],"aioseo_notices":[],"amp_enabled":true,"views":"196","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=22011"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22011\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/22010"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=22011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=22011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=22011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}