TREZOR Discusses Ledger & What Makes a Hardware Wallet Secure

The last few weeks haven’t been the best for SatoshiLabs (the company behind TREZOR), but it seems that the company is starting to regain some of the trust that was lost when they decided to change the TREZOR firmware license. That “emotional and impulsive” response is now behind the TREZOR team, and they can begin to refocus their energy towards making sure that the bitcoin community has at least one reliable hardware wallet. Recently, I was able to ask SatoshiLabs’s Alena Vranova a few questions related to what makes a hardware wallet secure and how individuals can make sure their bitcoins are safe from malware, hackers, and other threats.

Ledger Discovers a Potential Vulnerability

My first question for Vranova had to do with the Ledger team’s recent claims about a potential vulnerability in the TREZOR. Ledger’s findings were first presented at the 2015 London Bitcoin Expo, and a member of the team then posted the slides from that presentation on Reddit. The overall response from the /r/Bitcoin community was one of skepticism. As one Redditor put it, “Come on! Ledger doesn’t have a [screen] nor buttons, yet talking about Trezor’s SECURITY? What a joke

Alena Vranova’s response to the potential vulnerability pointed out by Ledger was straight and to the point. She stated, “We’d like to thank Ledger for discovering a potential vulnerability.

“Unfortunately we can’t help [The] Ledger team the same way because their code is not open source.”

This was obviously a bit of a jab at Ledger due to the fact that they are unable to open source their firmware due to an NDA with a chip manufacturer.

When speaking to the specific attack outlined by Ledger in their presentation, Vranova had this to say:

“The way of PIN brute-forcing as pointed out is not very likely to happen today since it requires a specialized laboratory equipment. We are addressing it anyway with a new firmware release in the coming days. This is a good example of how open source can help to build a solid and secure hardware.”

Vranova then went on to explain that the TREZOR is about much more than physical security, which is something that the Ledger team themselves seems to understand:

“Any hardware can be hacked with physical access to it. One of examples is the Sony Playstation 3 master key leak incident. Our answer to the question of physical chip security was to make such attacks irrelevant. TREZOR security model is not based on physical protection, but on combination of more factors. Even a member of the Ledger team acknowledged that ‘TREZOR + PIN + passphrase’ is immune to a physical attack.”

The Importance of a Screen and Buttons on a Hardware Wallet

One of the main distinctions between a TREZOR and a Ledger Wallet Nano is that the TREZOR comes equipped with its own screen and physical buttons. This is a key element of the TREZOR that is often brought up during comparisons of the levels of security offered by the competing hardware wallets. Vranova explained the importance of these physical aspects of the Trezor hardware wallet when I asked her if it’s possible for the Ledger Wallet Nano to be as secure as a TREZOR without them:

“The thing with screen and buttons is pretty simple. In case the hardware wallet doesn’t have them, you have to trust the computer you are using it with. And at that point there’s no way of telling if the computer is lying to you or not. Is this really the address I want to send my bitcoins to? Is this really the right amount? Is the fee I’m going to pay correct? Well, with TREZOR you just check this on-screen and confirm it by hitting a button. A button press is something no virus can do distantly. It’s physically detached from the possibly compromised software environment.”

Hardware Wallets vs Multisig Security Options

One last topic I wanted to ask Vranova about was multisig wallets that allow users to require signatures from multiple devices before broadcasting a bitcoin transaction to the network. The key distinction pointed out by Vranova first was that the TREZOR will keep a user’s private keys safe, even if the device is connected to an infected computer. She noted:

“TREZOR is currently the only solution that secures the entire lifetime of your private keys, from the moment of their creation, through a convenient backup, concluding transaction up to a secure recovery process. The private keys stay safe even if you use TREZOR with a computer infected by malware.”

Vranova then went on to explain the issues with a 2-of-2 multisig address. She explained:

“History shows that people struggle to backup data on their computers. A 2-of-2 multisig would make things even worse. Losing the data either from a phone or from the computer simply means losing access to the wallet. That’s not a situation we’d like to have when it comes to money.”

Vranova also noted that SatoshiLabs is currently working on integrating the TREZOR as a multisig solution for a variety of wallets:

“Finally, the question is not whether to trezor or to multisig. TREZOR can be used to co-sign multisig transactions. Currently we are working on integration with some end-user multisig wallets such as GreenAddress or Copay. In any case, we recommend at least a 2-of-3 multisig.”

What’s Coming Next?

For now, it seems that the TREZOR team is happy with their hardware wallet. They have no immediate plans to release a new version of their hardware, although Vranova did note that one area of improvement could be a cheaper and more effective production process. For now, the TREZOR team is focused on implementing the payment protocol (BIP070) and labeling for myTrezor.com.

Vranova also offered one last subtle jab at the Ledger team during her response on future improvements for the TREZOR. The team behind the Ledger Wallet Nano have noted in the past that they will be adding NFC and other features to a future hardware release, but it does not seem that SatoshiLabs will be offering a similar product in the near future. On the topic of hardware improvements Vranova explained:

“The hardware design has proven to be optimal and we won’t complicate it with fancy stuff that may weaken the security design, e.g. NFC or fingerprint readers.”