Ledger's Donjon security team has just released a security report claiming that the new Trezor Safe 3 is susceptible to physical supply chain attacks.
The link to the report, including technical details, is available here:
https://www.ledger.com/why-secure-elements-make-a-crucial-difference-to-hardware-wallet-security
Here are the key takeaways from Ledger's findings:
- Despite Trezor's use of a secure element in the Trezor Safe 3, an attacker with the needed knowledge and hardware could tamper with the wallet, install malicious software, and gain access to the user's coins.
- The Safe 3's security model combines two chips: the secure element and the microcontroller chip. The Optiga Trust M secure element protects against cheap hardware attacks, like voltage glitching.
- However, the microcontroller is vulnerable to manipulation attacks because cryptographic operations are still performed on it. In theory, a hacker could modify the software on the microcontroller flash memory to steal the user's crypto by introducing biased entropy and seed generation or manipulating the nonce of ECDSA signatures.
- Trezor's microcontroller TRZ32F429 is electrically identical to an STM32F429, making it vulnerable to voltage glitching.
- Trezor has a firmware integrity check as a way to protect against modified software, but Ledger Donjon managed to bypass this safety feature.
- Trezor Safe 5 uses a more advanced microcontroller, STM32U5, which isn't vulnerable to attacks like voltage glitching, ultimately improving the security of the device.
Ledger Donjon had to manipulate the microcontroller physically and desolder it to perform the attack. The picture below shows that an inexperienced eye couldn't differentiate between a genuine and a modified Trezor Safe 3.
Ledger also mentioned the following information about the Optiga Trust M secure element by Infineon:
Ledger Donjon claims they reported all their findings to Trezor and that the company addressed the vulnerability accordingly.
Sources:
https://www.ledger.com/why-secure-elements-make-a-crucial-difference-to-hardware-wallet-security
https://x.com/P3b7_/status/1899863743036874795
The link to the report, including technical details, is available here:
https://www.ledger.com/why-secure-elements-make-a-crucial-difference-to-hardware-wallet-security
Here are the key takeaways from Ledger's findings:
- Despite Trezor's use of a secure element in the Trezor Safe 3, an attacker with the needed knowledge and hardware could tamper with the wallet, install malicious software, and gain access to the user's coins.
- The Safe 3's security model combines two chips: the secure element and the microcontroller chip. The Optiga Trust M secure element protects against cheap hardware attacks, like voltage glitching.
- However, the microcontroller is vulnerable to manipulation attacks because cryptographic operations are still performed on it. In theory, a hacker could modify the software on the microcontroller flash memory to steal the user's crypto by introducing biased entropy and seed generation or manipulating the nonce of ECDSA signatures.
- Trezor's microcontroller TRZ32F429 is electrically identical to an STM32F429, making it vulnerable to voltage glitching.
- Trezor has a firmware integrity check as a way to protect against modified software, but Ledger Donjon managed to bypass this safety feature.
- Trezor Safe 5 uses a more advanced microcontroller, STM32U5, which isn't vulnerable to attacks like voltage glitching, ultimately improving the security of the device.
Ledger Donjon had to manipulate the microcontroller physically and desolder it to perform the attack. The picture below shows that an inexperienced eye couldn't differentiate between a genuine and a modified Trezor Safe 3.
Ledger also mentioned the following information about the Optiga Trust M secure element by Infineon:
Quote
The Secure Element used in the Trezor Safe 3 and Trezor Safe 5 is an Optiga Trust M (aka SLS32) sold by Infineon. It consists of both an Integrated Circuit (the chip proper, made out of silicon-based transistors), and fixed, un-updateable software, programmed onto the chip by Infineon in their production lines. This software is fully closed source.
Ledger Donjon claims they reported all their findings to Trezor and that the company addressed the vulnerability accordingly.
Sources:
https://www.ledger.com/why-secure-elements-make-a-crucial-difference-to-hardware-wallet-security
https://x.com/P3b7_/status/1899863743036874795