After three researchers posted proof about the vulnerabilities in some cryptocurrency hardware wallets, Ledger and Trezor finally responded. They basically said that user cryptocurrency balances are completely safe.
Ledger: Your Crypto Assets Are Safe
Ledger quickly decided to respond with a blog post in which it declared that the company is happy to see people challenging the security of the device. However, it was stated about the people publishing the vulnerabilities:
They presented 3 attack paths which could give the impression that critical vulnerabilities were uncovered on Ledger devices. This is not the case.
In the security world, the usual way to proceed is responsible disclosure… We regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.
Ledger went on to say that there were no practical vulnerabilities that were presented. It was stated that a hacker would not use the highly complex trick that was utilized, which employed a physical wallet modification, malware and another person that would remotely enter a hacked PIN in order to launch the crypto application.
It was added that the researchers did not manage to bypass MCU check. However, Ledger did acknowledge there was a bug in the firmware update function. This is what allowed researchers to add some software. According to Ledger, only the screen can be controlled and the bug will be solved through the next firmware version.
About the Ledger Blue hack, the manufacturer said that this would only be possible if the device remains in the exact same position while radio emanations are being measured, which is not practical in real-world conditions.
Ledger: Keep Using The Device
Trezor stated that a vulnerability is acknowledged but that it was identified. Physical device access would be needed, with the case having to be broken. Trezor’s words were really simple:
If you have physical control over your Trezor, you can keep on using it, and this vulnerability is not a threat to you.