Ledger’s Charles Guillemet on Trezor/HTC Vulnerabilities and How to Hide in a Victim’s Closet While Hacking Ledger

«When I found out about Bitcoin for the first time in 2011, I thought it was no use, despite interesting technology. My friend, a huge geek, had been already mining it at the time and convinced me to try. I abandoned this idea right after turning Bitcoin software on, because my computer was too loaded. What a nonsense, that was what I thought! Now I’m in Ledger, so my friend makes fun of me», — here is how Bitcoin story started for Chief Security Officer (CSO) of Ledger Charles Guillemet.

Before joining ranks of the world’s leading hardware wallets’ manufacturer, Mr. Guillemet got degrees in Mathematics, Computer Science, Cryptography and Coding, and spent around eight years working as a senior security expert in major French ITSEFs (security labs), specializing on evaluation of secure elements for critical apps such as bank cards, passports etc.

In an exclusive interview with ForkLog Charles Guillemet reveals how much time is needed to hack Trezor hardware wallets [too little], discloses the critical HTC Exodus vulnerability, shares his view on fair competition and broader security issues.

ForkLog: As a security expert do you believe there is something unhackable? It’s yes or no question.

Charles Guillemet: No. I work in security for more than ten years now, so my answer is no.

ForkLog: Well, are Ledger wallets vulnerable? Could I extract a PIN with a physical access?

Charles Guillemet: I don’t think so. Of course, it always depends on how much time and resources you spend trying to hack it, what materials you have and your expertise.

We’re working full time trying to break our devices. The secure element itself went through a 3rd party security evaluation (by an ITSEF) for six months to get certified, so it’s definitely very hard to compromise our wallets. If you spend millions and significant resources, time and expertise, you might succeed though.

ForkLog: Last year researchers from wallet.fail claimed they had successfully extracted PINs from both Trezor and Ledger devices. Ledger called those attacks “not of the practical nature”. Could you explain what you actually meant by saying this?

Charles Guillemet: You can give your Ledger to wallet.fail guys right now and they won’t be able to extract either your PIN or a seed. They actually didn’t claim that in their findings.

They conducted two different attacks on Nano S model. The first one is a hardware implant attack. It requires physical access to the wallet to install an implant inside the case to remotely push the buttons. Let me explain how it might look like.

The attacker needs to break into your house and to find your Nano S. Then he has to open the case, install the implant and close the case back. After that he has to upload a malware on your computer, which is designed to readdress the transaction to his address.

Now everything is ready for the attack and he has to hide probably in your closet with a remote controller. Then you unlock your device with a PIN and launch the Bitcoin application. At the same time the attacker triggers the malware and activates the implant to approve transactions. After that he can finally leave your home. As you see this type of attack is very very unlikely. It’s a fun idea but nothing be serious.

The second finding was a vulnerability with no consequences, because it didn’t allow to extract a secret from the secure element. They were able to upload a snake on the insecure element for USB-communication, button and display. But Ledger’s security doesn’t rely on this element, which doesn’t hold any secret. The secure element is able to detect that software is not legit, so it won’t even boot.

ForkLog: Were they right about Trezor?

Charles Guillemet: They claimed to succeed in extracting a seed from a Trezor wallet during one of security conferences and promised to share details in the future. So far, they didn’t publish anything about that, as far as I know.

It’s hard to judge in this case, but my wild guess is that this attack was not reliable and Trezor was able to patch it. It also seems that wallet.fail didn’t make a responsible disclosure to Trezor team.

ForkLog: Let’s talk about responsible disclosures. Have you ever used your knowledge about some vulnerability to gain a competitive advantage?

Charles Guillemet: We have never done this. We are security researchers, so acting ethically is very important for us. We don’t consider full disclosures as responsible behavior.

ForkLog: Have you ever thought about hurting competitors in such a way?

Charles Guillemet: We do researches on a lot of security products including some our competitors, but we disclose vulnerabilities to them. In case the vulnerability isn’t patchable, we think it’s not ethical to publicly share the details at all.

ForkLog: Who said it’s unethical? Is there any official industry ruling?

Charles Guillemet: There are no specific rules – security research community is quite scattered: we could distinguish three big categories in the community.

The first one is the old-fashioned full secrecy approach, which means no disclosure policy. It’s adopted by national security agencies, huge corporations, hardware vendors etc. They are very good at security, but they don’t share knowledge. I think things are going to change, but for now we have this category with a lot of secrets.

The second one is white hat. I prefer to call this category ethical security research. The main idea is to act responsibly for the good of users. Most of researchers in this category are focused on science. The market for ethical hacking is growing, many companies start rewarding responsible disclosures.

The last one is what I call “ass hat”. These researchers are motivated by either financial gains or fame, they don’t care about ethics. They often sell sensitive data on a black market or exploit it by themselves.

It’s a big problem. There are no written rules and there are huge incentives to act as black hats. On the other side, there is a consensus on good practices agreed in the software industry. And I personally believe that responsible disclosure is the only right way. However, there will always be black hats.

ForkLog: Do you remember the Binance incident in May? As far as I understand it’s good for Ledger’s business when exchanges get hacked.

Charles Guillemet: It may be so, because such incidents show users that the most secure way to store coins is to hold your keys. Not your keys, not your money. Hardware wallets are probably the safest way out, but in a broader context it shows that ecosystem has a security problem, so it’s always double-edged sword.

ForkLog: I know it’s tricky, but I have to ask. Have you ever thought about hacking a big exchange to make your product more popular?

Charles Guillemet: [laughing] Maybe we have thought about it, but as I’ve said we are ethical, so we don’t succumb to this kind of thinking. We won’t do this ever.

ForkLog: Aside from selling hardware wallets what else Ledger does? For example, what is Ledger Vault product?

Charles Guillemet: We have already sold over 1.5 million wallets. But it’s not the only business we run. As for now Ledger Vault is the most important project at Ledger. It’s a hardware-based security solution and authorisation framework which is designed for financial institutions and funds to manage crypto-assets.

It’s quite simple from the technical side. The security of the vault relies on two hardware components: PSD (personal security device) and HSM (hardware security module).

In practice there is a smooth interface for preparing transaction. According to the governance rules, several approvals are required from the PSD to verify the order, to check the confidentiality, and to authorise the transaction.

ForkLog: Is it a multisignature wallet?

Charles Guillemet: It’s a similar technology, but it also allows to implement specific governance rules if you want, for example, to limit the ability of the account to trade higher volumes than whatever even with approvals.

ForkLog: Adam Back, CEO of Blockstream, believes there is a trend for bitcoin-only hardware. Do you think this theory is credible, considering growing bitcoin market dominance?

a trend. @slush @pavolrusnak also mentioned Bitcoin only trezor firmware option.

— Adam Back (@adam3us) August 16, 2019

Charles Guillemet: We ship our wallets with the operating system which allows you to choose what cryptocurrency you would like to use. You can upload Bitcoin-only application and then you have Bitcoin-only hardware.

ForkLog: I will clarify: do you see any sense in other cryptocurrencies aside from Bitcoin?

Charles Guillemet: There are some projects that are technically different from Bitcoin. I don’t want to talk crypto politics, but as a security expert I’m OK with any network which is secure for users.

ForkLog: Let’s get back to the security. As far as I know you have found some vulnerabilities in Trezor wallets and one of them is not patchable. Could you give more details about that?

Charles Guillemet: Our team at Ledger Donjon evaluates not only Ledger native products, but also competitors’ offers. After spending some time on exploring Trezor wallets, mostly because they use the same chip as our unsecure chip, we found three types of vulnerabilities in their security model.

The first one is a side-channel attack on the PIN value. If I steal your device and try a few PIN-values while measuring the power consumption of the device, I will be able to guess the correct value of the PIN and get access to your funds only with a few penetrations when the statistic correlation is determined. We did a responsible disclosure to Trezor and they’ve patched this. I don’t think that now the new implementation of PIN verification can be broken in the same way.

The second one relates to the genuineness of device. The question for user here is how he can be sure that wallet isn’t backdoored when shipped. If you want more specific wording: how do you know that the code you’re running on Trezor is legit? The short answer – there is no way to be sure.

I loaded Trezor with the backdoored bootloader and backdoored firmware. When you receive it, it seems completely new. Then you go to the Trezor website and activate the firmware – the one that is mine. It’s completely undetectable and allows attackers to steal the funds. The problem with this attack is that it’s scalable and it’s hard to control the supply chain even if you bought it from the official store. There is really no way to be sure that the firmware is legit.

During the third attack we proved that it’s possible to extract the seed from Trezor wallet in a few minutes having a physical access. By saying this I mean less than five minutes! The cost of necessary materials to conduct this attack is just $100!

We have built an electronic card called an extractor. It allows you to extract the seed within five minutes. No hardware is unhackable. I agree with that, but it was quite easy.

ForkLog: Did Trezor solve the problem?

Charles Guillemet: No, they didn’t. We responsibly disclosed this vulnerability, but it’s not fixable, so we didn’t publish the technique. The core problem with Trezor is that they don’t use a secure element. They support full open-source and it’s a valuable position.

However, it’s very easy to implement a physical attack on their chip, but there is a way to mitigate risks. Trezor recommends to use a very long password to make it harder for the attacker to steal your funds after extraction. For me it’s a bit pointless, if security relies on a phrase in your head which you can lose or forget. Moreover, passwords are annoying, so most of the users are probably not using them.

ForkLog: Explain the HTC Zion security issue like I’m five years old.

Charles Guillemet: HTC designed a smartphone with wallet capabilities which is called HTC Exodus 1. They’ve implemented the wallet using an operating system based on hardware security features of the smartphone CPU, which can be seen as a secure enclave. I don’t want to discuss mobile wallets implementations in details. In short, just don’t put bitcoins in your smartphone. It would be the safest decision.

With HTC we succeeded in social key recovery attack. When you generate your seed on Exodus 1, you choose five trusted contacts. Then the system splits your key in shares using Shamir secret sharing scheme. Each share is completely useless and contains no information. But when you recombine the shares, you are able to reconstruct the full secret.

You can also set a threshold. For HTC Exodus it is three out of five shares for successful secret’s reconstruction. In this case each share is saved on the Android-based phones of your trusted contacts. It’s not secure, but it’s not a big deal, because as long as an attacker doesn’t have three out of five – he can’t access the funds.

The scheme is very comfortable in case you lose your smartphone. But HTC made a small mistake which completely changed the Shamir secret sharing properties. Instead of sending shares with zero information, the system was sending shares with exact information about the seed. It allowed to reconstruct the seed from only one share and to steal funds remotely. And it was scalable.

We responsibly disclosed this to HTC team and they did patch it. The vulnerability is now fixed but I would recommend to HTC users to generate a new seed and transfer their funds.

ForkLog: How much time was needed to reconstruct the seed from one share.

Charles Guillemet: Less than one second.

ForkLog: And the funds are gone?

Charles Guillemet: Exactly.

ForkLog: Now let’s talk philosophy. Prominent venture capitalist Peter Thiel believes that monopoly is the condition of every successful business. He also says that if you want to catch the lasting value, you should avoid competition. Do you agree or disagree?

Charles Guillemet: Interesting point, but I strongly disagree with this. There are many companies which are not monopolies, but they are successful. I think competition forces companies to give their best to users. I believe we should avoid monopolies, because they are good only for few people who control them. It could be a problem for democracy as well.

ForkLog: Here goes one more yes or no question. Do you think that competition motivates innovation?

Charles Guillemet: Yes, definitely.

ForkLog: Do you believe Ledger could be successful even without a market dominance?

Charles Guillemet: Being the leader is our goal, but I don’t think it would be good for industry, if we were in a monopolistic position.

Charles Guillemet was interviewed by Nick Schteringard

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Subscribe to our Newsletter

Related posts

• New Report Reveals How Long Hackers Keep Using Compromised Accounts
• North Korean Hackers Create Crypto-Trading Apps to Steal Cryptocurrencies
• CipherTrace: Twitter Hackers Laundered Stolen Bitcoins Through Exchanges and Casinos
• 7th Hacker Congress in Prague to Seek Relief from Digital Totalitarianism
• Former GlobalHell Hacker: The Attack on Twitter Is Way Bigger than Anticipated
• UK, U.S., and Canada Accuse Russia of Hacking Attacks to Steal Secret Research on Covid-19 Vaccine
• Hack of the Decade: Shameless Bitcoin Scam or Something Much More Sinister?
• Germany Calls On EU Countries to Impose Cyber Sanctions On Russian Hackers