Trezor Safe devices still vulnerable to physical supply chain attacks, Ledger says

Trezor’s latest material portfolios have secure elements but are still vulnerable to attacks targeting their microcontrollers, says Ledger.

In the constantly evolving world of cryptographic security, even the most advanced material portfolios are not immune to emerging threats.

Now, cybersecurity experts from Ledger Donjon, the search branch of the Crypto Physical Portfolio Ledgerraise concerns about his rival On. Despite its secure design reputation, Trezor’s safe models seem vulnerable to physical attacks. While devices have double chip configurations and certified secure elements, Ledger researchers argue that these models are not entirely protected against determined pirates.

In a March 12 blogLedger notes that the new TREZOR safety devices have been designed with better security features, including a two -chip configuration with a certified secure element (Optiga Trust M) for the storage of pins and cryptographic secrets. However, Ledger says that critical cryptographic operations “are always carried out on a microcontroller however”, which makes the attacks in models of more advanced threat possible “.

“The microcontroller used is labeled TRZ32F429 – it is in fact a STM32F429 chip wrapped in a BGA with personalized brands. Despite the specific package in Trezor, however, it is really electrically the same as a STM32F429, and the family of this chip is known to be vulnerable to tension glitting, allowing access to reading and writing to its flash content. »»

Ledger

Although the devices include mechanisms to prevent falsification, Ledger thinks that these defenses are not infallible, declaring that it is “only a matter of engineering time and effort to withdraw the attack in practice”. More importantly, researchers argue that the attack can be carried out “purely in the software”, which makes it “very difficult, if not impossible”, to detect either cryptographically or by visual inspection.

Despite these risks, Trezor’s safe devices are considered a step forward in the safety of cryptographic equipment, admits the big book, but stresses that continuous vigilance is necessary to treat the potential weaknesses of the supply chain.

After the publication of the research, the Trezor X account reassured Users that their funds “remain safe”, noting that Ledger Donjon had reused a “previously known attack to bypass some of our countermeasures against the attacks of the supply chain in Trezor Safe 3”