Three researchers and engineers have recently published a report claiming the vulnerabilities faced by the users of Trezor and Ledger cryptocurrency wallets. The report claims that the users of these wallets are not feeling secure about their data.
Three researchers and tech geek named Dmitry Nedospasov, Josh Datko and Thomas Roth created the website named wallet.fail. They promised to make the site live after publishing their presentation to the 35th Chaos Communication Congress.
Within 24 hours of the presentation at the Congress, the researchers have published their claims online and two leading wallet makers, Trezor and Ledger have responded to their claims.
One of the marketers, Ledger has responded to the claims by a blog post stating that though it is a positive sign that people are thinking about their wallets and suggesting for its improvements, the claims these researchers have made are not based on all right facts.
The researchers have given three attack paths making an impression that the critical vulnerabilities of the users were disclosed and open on Ledger devices. But that is not what it is. The Ledger also added that though people are saying that they love cryptocurrency and they own some, the Ledger is a bit disappointed.
The company went on saying in the blog that, when it comes to security in the crypto world, the standard way to proceed is to go with responsible disclosure. The researchers did not follow the standard security framework which is given by Ledger. Plus, they claimed that the vulnerabilities presented by the researchers are not practical.
The Ledger does accept the presence of any possible bug in its firmware update function. The company, however, has assured that the next version of its firmware. This possibility would also be taken care of.
Researchers analyzed the radio emanations in the Ledger Blue wallet when a PIN was entered. Ledger says this path of attacking is exciting but in a real situation to make this attack successful, a device has to remain in the same position while recording the emanations. This is again very unlikely to happen.
The company while concluding the blog post said that Ledger has already installed a random keyboard for the PIN on the Nano S, and the same provision is made in the next version of firmware.
Trezor, on the other hand, appears to be working on its hardware as and how the information on it is getting revealed more and more. The company has accepted the claimed vulnerability.
