Despite advancements in hardware wallet security, Ledger Donjon, the research arm of crypto wallet provider Ledger, has raised concerns about Trezor’s latest Safe devices, stating that they remain vulnerable to physical supply chain attacks.
Ledger’s Findings on Trezor Safe Devices
In a March 12 blog post, Ledger researchers acknowledged that Trezor Safe models have improved security features, including a two-chip setup and a certified Secure Element (Optiga Trust M) to store PINs and cryptographic secrets. However, critical cryptographic operations are still performed on a microcontroller, which remains susceptible to attacks.
“The microcontroller used is labeled TRZ32F429 – this is actually a STM32F429 chip packaged into a BGA with custom markings. In spite of the Trezor-specific package however, it is really electrically the same as a STM32F429, and this chip’s family is known to be vulnerable to voltage glitching, enabling read and write access to its flash contents.” – Ledger Donjon
Potential Exploit Risks
Ledger claims that while Trezor Safe devices incorporate anti-tampering mechanisms, these defenses are not foolproof. The research team warns that a determined hacker could exploit voltage glitching techniques to gain unauthorized access. The most alarming part? This attack can be executed “purely in software,” making it extremely difficult to detect cryptographically or through visual inspection.
“It is only a matter of time and engineering effort to pull off the attack in practice.” – Ledger Donjon
Trezor’s Response
Following the report, Trezor responded via X, reassuring users that their funds remain safe. The company acknowledged Ledger Donjon’s research, stating that the findings reused a previously known attack to bypass some of their countermeasures against supply chain threats.
Implications for Crypto Security
While Trezor Safe devices still represent a step forward in crypto hardware security, Ledger’s research highlights the ongoing risks in the supply chain. As hardware wallets continue to evolve, manufacturers must remain vigilant against emerging attack vectors to ensure the safety of user assets.
For now, both Ledger and Trezor agree that continuous security improvements are necessary to protect crypto users from sophisticated threats in the ever-evolving landscape of digital asset storage.
