Everybody is all like "oh Ledger you're soo professional for doing this!" Ledger does what benefits Ledger solely, they are a hardcore competitive wolf, trying out sheep's clothing. Notice they didn't report their own security vulnerabilities, which still apply after wallet.fail? Do you think it's coincidence they they go on a massive campaign to de-credit their closest competitor?
There’s no doubt that Ledger intend to make Trezor look bad. Why else would you pay to find a competitor’s bugs? However, you can’t discredit a company by paying to find bugs in their product, thus allowing them to be fixed. At this level these flaws are very expensive to find, so provided they’re dealt with responsibly, I don’t see how this is anything but a good thing for SatoshiLabs.
Also, Ledger needs to be very careful to not attract the spotlight- they’ve made some **very** questionable releases in the past.
Good point, Trezor does come out of this looking better than before, thanks to Ledger. But at what cost to Ledger? I feel like the communication coming from Ledger tech teams are always incredibly aggressive, petulant, or dismissive. Case in point: their CTO on reddit or twitter, their flippant response to third-party discoveries of product bugs, and this public hitjob.
I could dig into the details, but you perhaps already know the answer- were any of these attacks white box attacks, in so far as the were enabled or inspired by access to the source code? It would be a great endorsement of SatoshiLabs’ approach/ethos if any of these attacks were enabled (and consequently mitigated) by keeping everything open.
Or perhaps the question is more simply “Did opensourcing everything make these attack vectors easier to find?”.
Most of the presented attacks were attacks on the hardware.
However, I think that having for example an ECDSA implementation open source was beneficial for researcher, because he knew better what to look for on the hardware side-channel level.
Thats pretty dick move Ledger. You waste nitpicking your time on your competition instead fixing shit on your own. Why dont you focus on yourself as the company development and fixing your critical (serious) bugs (features)? Just to boost you more sales? This will backfire to you.
We are fortunate to have been able to build such a sophisticated attack lab. Our security team, Ledger Donjon, spends most of their time attacking our own products, only to come up with strategies to mitigate the vulnerabilities found. Security research is very resource-intensive, so we focus mostly on our own products.
We also feel the responsibility to give back to the community by helping increase the level of security for the ecosystem as a whole. That means responsibly disclosing vulnerabilities to our competitors whenever we identify them. This is standard practice across the entire tech industry. In fact, we are very thankful for anyone who has made responsible disclosures to us, since we've hardened our products thanks to them.
Lastly, we have different teams working on different projects. The product team is not the firmware team is not the marketing team, etc. You get the point: we're able to focus on many different things at the same time. Any bugs/feature requests raised are being addressed. Thank you for your support.
It sounds like they're making everyone more secure by responsibly disclosing issues to the competition, which can then be patched. Not sure how this is a bag thing?
I think with a lot of computer systems and devices it's important to know what failure modes other similar products have, so that you can ensure your own system doesn't suffer from the same issues.
You're absolutely right.
However, the context in which some of the points made by the CSO in the video were slightly, ehm, biased and unfair necessitating a response from Trezor. It's that part I didn't like.
Quick question about the first vulnerability they describe in their article--ie. sending an 'impostor' Trezor device that has been altered to send coins to another address.
It's my understanding that if they have altered the firmware of the device then the Trezor will give a warning since I assume Ledger doesn't have access to the key you use to sign your firmware. Am I correct?
Assuming they altered the firmware to remove such a warning, if you were to take that fake device and plug it into the Trezor webwallet and try to install official Trezor firmware onto it, wouldn't that remove their malicious firmware?
No. In the video, the bootloader is modified to simulate a firmware update, but no firmware is actually loaded (it just activates a pre loaded firmware) so you can follow the official update flow and the malware would still be there. There are many possible variations around that if a malicious bootloader is installed.
In the video you say that the only way to mitigate against this supposed attack is to use a secure element chip, which conveniently only Ledger uses. If this is true then you need to demonstrate and disclose this vulnerability PUBLICLY.
At least this way the wider community will be aware and people can make a proper decision about which hardware wallet to use. After all, there are many smart hackers out there that don’t give public demonstrations and they will find and exploit this vulnerability if what you say is true. If you don’t disclose it publicly then it comes off as marketing BS.
There's no details in the video (I didn't finish watching the whole video, though), but by combining your comment with the video, I assume 1) the firmware is replaced with a malicious one, which always "generates" the seed that the adversary knows; 2) the bootloader is replaced with a malicious one, which displays a firmware upgrading process while not actually upgrading it. Correct?