Trezor’s latest hardware wallets, the Safe 3 and Safe 5, have some serious security issues, according to a report from Ledger that was released on March 12. The report said that its security research team, Ledger Donjon, found that these devices had a ton of vulnerabilities in their microcontrollers that could allow hackers to gain remote access to user funds. The flaws come despite Trezor’s upgrade to a two-chip design that includes an EAL6+ certified Secure Element. While the Secure Element protects PINs and private keys, Ledger’s report reveals that all cryptographic operations are still performed on the microcontroller, which is vulnerable to voltage glitching attacks. If exploited, an attacker could extract cryptographic secrets, modify firmware, and bypass security checks, leaving user funds at risk. Trezor’s new security design fails to protect critical operations Trezor launched the Safe 3 in late 2023, followed by the Safe 5 in mid-2024, and both wallets introduced an upgraded two-chip design, in efforts to move away from the single-chip architecture used in older Trezor models. The upgrade also added an Optiga Trust M Secure Element from Infineon, which will be a dedicated security chip to store PINs and cryptographic secrets. According to Ledger’s findings, this Secure Element prevents access to sensitive data unless the correct PIN is entered. It also blocks hardware attacks like voltage glitching, which were previously used to extract seed phrases from models like Trezor One and Trezor T. PCBs of two Trezor Safe 3, one running genuine software and the other running modified firmware | Source: Ledger But despite these improvements, Ledger Donjon’s research shows that the main cryptographic functions—including transaction signing—still happen on the microcontroller, which remains a major security weakness. The microcontroller used in the Safe 3 and Safe 5 is labeled TRZ32F429, which is actually a custom-packaged STM32F429 chip. This chip has known vulnerabilities, specifically voltage glitching exploits that allow attackers to gain full read/write access to the flash memory. Once an attacker modifies the firmware, they could manipulate entropy generation, which plays a key role in cryptographic security. This could lead to remote theft of private keys, giving hackers complete access to user funds. Authentication system fails to verify microcontroller integrity Trezor uses cryptographic authentication to verify its devices, but Ledger Donjon found that this system does not check the microcontroller’s firmware. The Optiga Trust M Secure Element generates a public-private key pair during production, and Trezor signs the public key, embedding it into a certificate. When a user connects their wallet, Trezor Suite sends a random challenge that the device must sign using its private key. If the signature is valid, the device is considered authentic. How the Optiga Trust M Secure Element works | Source: Ledger But Ledger’s research shows that this process only verifies the Secure Element, not the microcontroller or its firmware. Trezor attempted to link the Secure Element and microcontroller using a pre-shared secret, which is programmed into both chips during manufacturing. The Secure Element will only respond to signature requests if the microcontroller proves knowledge of this secret. The problem? This pre-shared secret is stored in the microcontroller’s flash memory, which is vulnerable to voltage glitching attacks. Ledger’s team was able to extract the secret, reprogram the chip, and bypass the authentication process entirely. This means an attacker could modify the firmware while still passing Trezor’s security checks. Ledger’s report describes how they built a custom attack board, which allowed them to break out the TRZ32F429’s pads onto standard headers. This setup lets them mount the microcontroller onto their attack system, extract the pre-shared secret, and reprogram the device without detection. Once reprogrammed, the device would still appear legitimate when connected to Trezor Suite since the cryptographic attestation system remains unchanged. This creates a dangerous situation, where compromised Trezor Safe 3 and Safe 5 wallets could be sold as genuine devices, while secretly running malicious firmware that steals user funds. Firmware validation is bypassed, leaving users exposed Trezor does include a firmware integrity check in Trezor Suite, but Ledger Donjon found a way to completely bypass this protection. The firmware check works by sending a random challenge to the device, which then computes a cryptographic hash using both the challenge and its firmware. Trezor Suite verifies this hash against a database of genuine firmware versions. At first glance, this method seems kind of effective—an attacker can’t just hardcode a fake hash because they wouldn’t know the random challenge in advance, so the device must compute the hash in real time, proving it’s running genuine firmware. However, Ledger Donjon discovered a way to fully bypass this protection. Since the microcontroller handles this computation, an attacker can modify its firmware to fake a valid response. Source: Ledger By manipulating how the device calculates the hash, the attacker can make any firmware version appear authentic. This is a serious issue because it allows attackers to run modified software while still passing Trezor Suite’s verification checks. As a result, a compromised Trezor Safe 3 or Safe 5 could still appear legitimate while secretly leaking private keys or altering transaction data. Ledger’s report concludes that the only way to fully secure the Safe 3 and Safe 5 would be to replace the microcontroller with a more secure alternative. The Trezor Safe 5 does include a more modern microcontroller, the STM32U5, which has no publicly known fault injection attacks—at least for now. But since it’s still a standard microcontroller, not a dedicated Secure Element, the risk remains that new attack methods could be discovered. Trezor has already patched the vulnerabilities, but the underlying security concerns remain. Until the microcontroller itself is fully secured, users will have to trust Trezor’s software protections, which Ledger Donjon’s research has already proven can be bypassed. Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot
