In a rare display of industry cooperation, Ledger, a leading hardware wallet provider, assisted its competitor Trezor in fixing a critical security vulnerability affecting its latest Safe 3 and Safe 5 models.
The flaw, discovered by Ledger Donjon, the company’s open-source security research division, exposed Trezor’s microcontroller to potential advanced attacks that could have compromised user funds.
Despite recent security advancements by Trezor, Ledger’s research team identified a critical weakness in the hardware design of the Safe 3 and Safe 5 models.
While Trezor had implemented Secure Elements—specialized chips that protect PIN codes and cryptographic secrets—Ledger found that cryptographic operations could still be performed on the microcontroller, making the devices susceptible to sophisticated attacks.
In a March 12 post on X, Ledger’s Chief Technology Officer Charles Guillemet confirmed that Trezor has since patched the vulnerability, ensuring that user funds remain protected.
“We believe that making the ecosystem more secure helps everyone and is critical as we push towards broader adoption of crypto and digital assets,” Guillemet stated.
How Serious Was the Threat?
Trezor had already hardened its security against low-cost hardware attacks, including voltage glitching, which could allow hackers to manipulate the device’s behavior. However, Ledger uncovered an additional attack vector related to firmware integrity checks a security measure designed to detect and prevent unauthorized software modifications.
While Trezor implemented a system to verify firmware integrity, Ledger demonstrated that an attacker could bypass this security measure, posing a potential supply chain risk.
Trezor has since patched the vulnerability, but neither company has publicly disclosed the technical details of the fix. Notably, when asked if the issue was resolved through a firmware update, Trezor admitted:
“Unfortunately not.”
This suggests that the vulnerability was hardware-based, making it impossible to fix purely through software updates—raising concerns for existing users of affected models.
Why Did Ledger Help a Competitor?
Ledger’s decision to assist a direct competitor in strengthening its security highlights a broader industry-wide priority: safeguarding crypto assets. Hardware wallet providers share a common goal of protecting users from sophisticated cyber threats, regardless of competition.
By collaborating on security research, both companies contribute to a more resilient crypto ecosystem, ultimately benefiting users who rely on cold storage solutions to safeguard their funds.
Trezor reassured its users that no funds were lost and that no immediate action is required. However, the company emphasized the importance of buying hardware wallets from official sources, as supply chain attacks remain a persistent risk.
“In cybersecurity, the golden rule is simple: nothing is fully unbreakable,” Trezor stated.
While Ledger played a crucial role in identifying Trezor’s vulnerability, it has faced its own security breaches in the past:
- December 2023: A hacker exploited Ledger’s connector library, stealing $484,000 worth of crypto assets.
- June 2020: A major data breach exposed mailing addresses of 270,000 Ledger customers, leading to phishing attacks and identity theft risks.
Final Thoughts
Ledger’s intervention in Trezor’s security flaw is a rare example of collaboration between competitors in the crypto space. While both companies have experienced security incidents, this case demonstrates that even rivals can work together to enhance user protection and strengthen the overall security of digital assets.
As the crypto ecosystem grows, such industry-wide cooperation may become essential to counteract evolving threats, ensuring that self-custody solutions remain the safest way to store digital assets.
