Following a report published by Ledger which outlined five vulnerabilities within Trezor wallets, the company has responded and addressed the issues in a March 12, 2019 blog post.
Put on the Spot
When a blockchain or crypto firm is under fire, whether for an acquisition or a hack, it is always in their best interest to respond and clear the air regarding the matter.
This is exactly what Trezor has done with regards to a report published on March 10, 2019, by Ledger which claims that Trezor’s wallets suffer from a number of vulnerabilities that makes it possible for them to be compromised. Among the listed issues are the wallets being prone to side-channel attacks, counterfeiting and the stealing of PINs.
Other Side of the Story
Trezor, on their part, has published a response to these claims on March 12, 2019, on their website. Their main point is that while all the vulnerabilities outlined by Ledger are valid, they are only critical to hardware wallets. All of them, they point out, would require physical access to the wallet itself and cannot be carried out remotely and thus, are less of a threat.
They buttressed this point by bringing up some statistics compiled from a survey conducted in conjunction with Binance. According to the survey, only about 5.93 percent of respondents consider physical attacks as a significant threat compared to 66 Percent who consider remote attacks as their greatest concern. Trezor then says that the former has little to worry about despite the report.
The post writes:
“These 5,93% can be protected by using passphrase, which covers the physical security of both the device and the recovery seed,”
A hardware wallet is designed to guard against malware attacks, computer viruses, and various other remote dangers, Trezor says. Also, it is pointed out that despite technological breakthroughs, perfect physical security is not possible and with the right resources and enough time, practically every hardware wallet can be broken into, especially with $5 wrench attacks where a user is forced to give up their passcode, in which case no hardware severity protocol can protect the funds.
However, it is unlikely that anyone who randomly stumbles upon a user’s physical wallet will have the expertise or resources to break into it.
It was also mentioned that four of the five points outlined have already been fixed, cannot be exploited or require a PIN to execute.