
The Ledger vs. Trezor beef has a long history, but Ledger’s CTO efforts may have fanned the flames as he reported vulnerabilities his team discovered in its competitor.
Trezor and Ledger, two of the most prominent hardware wallet manufacturers, have long been locked in a rivalry.
As part of Cointelegraph’s interview with Charles Guillemet, the CTO of Ledger, he revealed that the relationship is more complex than it may seem at first. Despite the rhetoric, cooperation and respect can be found as well.
A collaborative rivalry
Guillemet said that he doesn’t know who started the rivalry, as it goes back to the “very beginning of the Ledger and Trezor companies.”
“I think things got more serious when I created the Donjon, which is our internal security team,” he conceded. The Donjon was one of the first innovations introduced by Guillemet when he joined Ledger, due to his belief that the only way to design a secure system is to “try to break it, again and again.”
While the Donjon focused on Ledger wallets, they also began looking at competitors’ products. “At the beginning that was mostly by curiosity. We just wanted to understand how they work,” he said.
That study resulted in the team finding vulnerabilities in “each single wallet that we looked at.” Guillemet noted:
“When you find a vulnerability, the right thing to do is to report it to the vendor. And that’s what we did.”
The vendors then fixed the vulnerabilities, even giving bounties to Ledger some of the time. Regarding Trezor, he mentioned a “battle of PR” between the companies, adding:
“At the end, one thing which is completely true, is that the wallet security of Trezor improved a lot thanks to us.”
While Guillemet did not remember the exact number of vulnerabilities reported to Trezor, he said they were about “six or seven.” All of them were patched except one, which was unfixable due to the fundamental design of Trezor’s chips.
Due to this, the Ledger team did not disclose its details, though they were independently reported a year later by Kraken’s security team.
Open source vs. security
The reason why the bug is unfixable is that Trezor uses a so-called MCU chip in its wallet, which is used in common household appliances and was not meant for secure data storage, Guillemet explained. When asked why, he said that this was a conscious design choice:
“They are of strong belief in open source philosophy, and when you use the Secure Element, you have to sign an NDA with the chip manufacturer, which prevents you from giving any information on what’s going on inside the chip.”
The Secure Element used by Ledger contains many countermeasures, which an open source firmware would likely reveal. According to Guillemet, secure elements are unacceptable to Trezor as they want to maintain their software completely open.
Guillemet said that open source software is “a very good thing” and noted that he personally contributed to some projects. “But when you design a security device, I think security is the most important thing.”
While he conceded that open source software could be a security benefit due to the additional scrutiny, this is not enough:
“As it prevents you from using a dedicated Secure Element, at the end you end up with a less secure device.”
Guillemet shared that he has a “good relationship personally with people at Trezor,” referring to them as “very interesting guys” — even if the two teams’ philosophies are different.
Source: , CoinTelegraph

Articles listed with Cash Tech News as the author are either general information, or may have been imported from another website, to bring our readers a rich media experience that encompasses articles that we find interesting, as well as those curated by others.
The views and opinions expressed here are for informational purposes only, and should not be confused with professional financial advice. These opinions are solely those of the author and do not necessarily reflect the views of CashTechNews.com. Every investment and trade involves risk. You should conduct your own research, and contact your professional financial advisor before making any investment.
Corrections, feedback, and ideas should be submitted through the website contact form.
