Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
The Ledger vs. Trezor beef has a long history, but Ledgerâs CTO efforts may have fanned the flames as he reported vulnerabilities his team discovered in its competitor.
Trezor and Ledger, two of the most prominent hardware wallet manufacturers, have long been locked in a rivalry.
As part of Cointelegraphâs interview with Charles Guillemet, the CTO of Ledger, he revealed that the relationship is more complex than it may seem at first. Despite the rhetoric, cooperation and respect can be found as well.
A collaborative rivalry
Guillemet said that he doesnât know who started the rivalry, as it goes back to the âvery beginning of the Ledger and Trezor companies.â
âI think things got more serious when I created the Donjon, which is our internal security team,â he conceded. The Donjon was one of the first innovations introduced by Guillemet when he joined Ledger, due to his belief that the only way to design a secure system is to âtry to break it, again and again.â
While the Donjon focused on Ledger wallets, they also began looking at competitorsâ products. âAt the beginning that was mostly by curiosity. We just wanted to understand how they work,â he said.
That study resulted in the team finding vulnerabilities in âeach single wallet that we looked at.â Guillemet noted:
âWhen you find a vulnerability, the right thing to do is to report it to the vendor. And thatâs what we did.â
The vendors then fixed the vulnerabilities, even giving bounties to Ledger some of the time. Regarding Trezor, he mentioned a âbattle of PRâ between the companies, adding:
âAt the end, one thing which is completely true, is that the wallet security of Trezor improved a lot thanks to us.â
While Guillemet did not remember the exact number of vulnerabilities reported to Trezor, he said they were about âsix or seven.â All of them were patched except one, which was unfixable due to the fundamental design of Trezorâs chips.
Due to this, the Ledger team did not disclose its details, though they were independently reported a year later by Krakenâs security team.
Open source vs. security
The reason why the bug is unfixable is that Trezor uses a so-called MCU chip in its wallet, which is used in common household appliances and was not meant for secure data storage, Guillemet explained. When asked why, he said that this was a conscious design choice:
âThey are of strong belief in open source philosophy, and when you use the Secure Element, you have to sign an NDA with the chip manufacturer, which prevents you from giving any information on what's going on inside the chip.â
The Secure Element used by Ledger contains many countermeasures, which an open source firmware would likely reveal. According to Guillemet, secure elements are unacceptable to Trezor as they want to maintain their software completely open.
Guillemet said that open source software is âa very good thingâ and noted that he personally contributed to some projects. âBut when you design a security device, I think security is the most important thing.â
While he conceded that open source software could be a security benefit due to the additional scrutiny, this is not enough:
âAs it prevents you from using a dedicated Secure Element, at the end you end up with a less secure device.â
Guillemet shared that he has a âgood relationship personally with people at Trezor,â referring to them as âvery interesting guysâ â even if the two teamsâ philosophies are different.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.