Ledger, the hardware wallet (HW) manufacturer, revealed it’s competitor, Trezor wallet’s vulnerabilities to cyber attacks. At the recently-held MIT Bitcoin Expo in Boston, Charles Guillmet, Ledger’s Chief Security Officer, presented multiple ways in which the Trezor wallet could be broken into.
The French company, Ledger, like any other cyber-security company, tests out its products to ensure they are robust and resolute against potential hacks. However, the wallet manufacturer also tests out its competitor’s products, not simply to lambast their flaws, but also to compare Ledger’s protection capabilities against their peers.
Guillmet referred to four Trezor devices as “completely broken.” The devices in question were the Trezor One, Trezor T, Keepkey, and B Wallet, which pose such severe security flaws that there is no way to fix them, according to Ledger. In reference to their chief security officer’s statements, Ledger published an article detailing the drawbacks of its competitor.
In the report titled “Our Shared Security: Responsibly Disclosing Competitor Vulnerabilities,” the hardware wallet manufacturer stated that their responsibility to provide security services extended to their entire blockchain ecosystem.
Hence, due to this “shared commitment,” Ledger took the extra step to ensure that their competitor’s wallets can withstand hacks.
Ledger Donjon, the wallet manufacturer’s security team, has an Attack Lab in Paris, where regular defense checks are performed against their own products and that of their competitors.
The report added,
“Critically, when addressing the security of competing products, we always follow the principles of responsible disclosure, informing the impacted party of any vulnerability of their products that our Attack Lab might find, and giving them time to find a fix.”
Four months ago, the Attack Lab discovered five key vulnerabilities in Trezor’s products. The company was contacted and informed about the same. Despite allowing them the “responsible disclosure period” to fix these exploits and providing two extensions, Ledger decided to go public with their findings.
The first vulnerability revealed that the genuineness of the device can be imitated. Exact clones of the original Trezor wallet can be made, allowing hackers to tamper with the device and gain control over the code running on the device. Hackers can potentially insert “cryptographic flaws” and insert malware from the device’s back door.
When contacted by Ledger, Trezor stated that the flaw was out of their model and that users will not suffer the potential hack if the wallets were purchased directly from the Trezor website. However, Ledger had a different perspective,
“In our view, this vulnerability can only be patched by overhauling the design of the Trezor One, and replacing one of its core components to incorporate a Secure Element chip, as opposed to the general purpose chip currently used.”
The second vulnerability was with the PIN of the device. Ledger found that on a stolen or found device, the PIN can be guessed using a Side Channel Attack by measuring the power consumption when a PIN is entered compared to the actual PIN. The report stated,
“We found that the PIN does not protect the funds against an attacker with a physical access to the device.”
In their firmware update 1.8.0, Trezor informed Ledger that the vulnerability was rectified.
The third and fourth vulnerabilities pertained to the anonymity of the data within the device. An attacker with physical access to the Trezor One and Trezor T wallet can remove and potentially delete all the data within the device’s flash memory.
Ledger further revealed that this vulnerability cannot be fixed and that the technical details regarding this would not be mentioned by the wallet manufacturer. However, a stronger passphrase used by the users can be a possible solution.
The fifth and final vulnerability pointed to the ease with which a hacker, with physical access to the device, can use Side Channel Attacks to extract the secret key. The device is prone to this attack during Scalar Multiplication when transactions are being signed. However, to successfully trigger this attack, the device’s PIN needs to be known by the hacker.
Ledger also presented a summary status of the attacks and the severity of the same,
Subscribe to AMBCrypto’s Newsletter
XRP TipBot comes back online after a tiny downtime; Nothing to be worried about, says Wietse Wind
XRP TipBot’s website and the corresponding application suffered a downtime on June 23, 2019 for a few hours, during which the application wasn’t showing the balance of users. The website and the API for TipBot instead, displayed a “500 Internal Error.”
A Twitter user, @BlueNETGaming, tweeted Wietse Wind, inquiring the same. Wind confirmed that it was just an “infrastructure blip,” and that there was nothing to be worried about.
Oops! Sorry! Infrastructure blip. Really easy fix but I enjoyed an offline afternoon with my girls 😇 So I only found out after some time, when I checked my phone. Monitoring, messages, calls 😇 Social media tips went through during the downtime. Sorry! 😆
— Wietse Wind (@WietseWind) June 23, 2019
XRP TipBot is probably the first and most widely accepted use-case of XRP. It leverages the transaction settling time of XRP Ledger to make tipping easy among peers on Twitter, Reddit, and other platforms, and this was the brainchild of developer Wietse Wind.
After TipBot, a lot of other cryptocurrencies have tried to mimic this idea of facilitating tipping; an example being Bitcoin’s, Tippin.Me which leveraged Lightning Network for tipping users. Although successful, it isn’t as popular as Wind’s TipBot.
The reason behind the same is that XRP Ledger allows transaction settlement in under 5 seconds, which makes tipping fast and efficient, unlike Bitcoin’s transactions which take a few minutes for transactions to be confirmed.
This is same reason why XRP is being used as a liquidity provider for cross-border payments in Ripple’s proprietary product, xRapid.
XRP community is a tightly-knit community with people who are very bullish about XRP’s success. There are equally talented developers in the community who are developing apps that help create more use-cases for XRP.
SchlaubiDev is one such developer known for developing plugins for Gmail and Microsoft Office, plugins that allow a user to send XRP over e-mails.
Ripple has identified Wind and his team’s talent and inducted them into Xpring, which finances them to help develop more community-based apps for increasing XRP use-cases.
Subscribe to AMBCrypto’s Newsletter