A hardware wallet manufacturer has recently addressed a security issue in two of its newer models after its competitor’s research team identified a flaw in the microcontrollers.
The rival company acknowledged that while the manufacturer has made notable security enhancements, there were still concerns that cryptographic functions could be executed on the microcontrollers of its Safe 3 and 5 devices, potentially leaving them open to sophisticated attacks.
Fortunately, the manufacturer has since rectified these vulnerabilities, according to a statement from the rival company’s chief technology officer, who emphasized the importance of enhancing ecosystem security as essential for the broader adoption of cryptocurrency and digital assets.
The manufacturer had previously integrated “Secure Elements” into its devices, which are specialized chips designed to safeguard user PINs and cryptographic keys. This is particularly crucial since some of its devices could be compromised by software alterations, which could enable malicious actors to access user funds.
The “Secure Elements” feature is said to effectively counteract inexpensive hardware attacks, particularly voltage glitching, helping to assure users that their funds remain secure even if their device is lost or stolen.
However, the rival company uncovered another potential avenue of attack related to the microcontroller, which is a critical component of the two-chip architecture in the Safe 3 and 5 models. Although the manufacturer had incorporated a firmware integrity check to identify modified software, the rival was able to show that an attacker could bypass this security measure.
This problem has since been remedied by the manufacturer, although specific details of the solution have not been disclosed. The manufacturer has confirmed that user funds are secure and no action is necessary on their part.
While the manufacturer has assured users of their security, they indicated that they could not patch the issue through firmware alone, reiterating a fundamental principle in cybersecurity: nothing is entirely unbreakable. They advocate for a multi-layered defense against supply chain attacks and recommend that users buy from official sources.
The rival is also not without its own security challenges. In December 2023, a hacker successfully breached the rival’s connector library and stole $484,000 worth of cryptocurrency. Additionally, a separate attacker leaked the personal information of about 270,000 customers in June 2020.