[...]
It seems to confirm what I was saying. In short, they used a bug to install custom firmware in the bootloader, but did not access the secure element or manage to extract any PINs or seeds, and the bug will be patched in the next firmware version. I'm also pretty impressed by the response time from the Ledger team here.
Indeed. It seems like we can also expect a Trezor fix by the end of January:
https://twitter.com/pavolrusnak/status/1078568510182309889?s=21Turns out the researchers didn't follow customary responsible disclosure procedures, which is slightly disappointing. I guess both Ledger and SatoshiLabs would have appreciated a bit of a headstart, especially given the fact that both companies have a great track record of cooperating with security researchers and fixing found vulnerabilities in a timely manner (something which unfortunately is not quite as common as one may hope). Nonetheless it's good to know that researchers like them are out there, as findings of this kind help hardening hardware wallets.