EddieOz on Nostr: Dark times for secure elements (SE) and hardware wallets Trezor uses a secure element ...
Dark times for secure elements (SE) and hardware wallets
Trezor uses a secure element (SE) from Infineon, specifically the SLE78, which they implement in their products as the Optiga Trust M. They assure customers that their seed backup is safe, but they fail to mention that the ECDSA private key is the information being stored, which could be seen as misleading to their customers.
My research shows that Ledger, Coldcard, and OneKey use secure elements from different manufacturers.
Coldcard uses two different secure elements from separate manufacturers. One of them is Microchip's ATECC608, and recently, the company was reportedly affected by malware, compromising some internal information. However, there is currently no information regarding the full extent of the impact.
Reference links below:
Secure element vulnerability:
https://ninjalab.io/eucleak/Microchip's cyberattack:
https://bleepingcomputer.com/news/security/microchip-technology-confirms-data-was-stolen-in-cyberattack/https://sec.gov/Archives/edgar/data/827054/000082705424000181/mchp-20240904.htmPublished at
2024-09-05 08:27:26Event JSON
{
"id": "ee8cc8451bc1b37a56e97d2297a62f5d153ffca93c2417928060b1b93bc596e0",
"pubkey": "eac630759e313832c4d0113b9e1082279fb0efa6a9ce81cda9e8a366b4988b48",
"created_at": 1725524846,
"kind": 1,
"tags": [
[
"nonce",
"601273",
"20"
],
[
"client",
"noStrudel",
"31990:266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5:1686066542546"
]
],
"content": "Dark times for secure elements (SE) and hardware wallets\n\nTrezor uses a secure element (SE) from Infineon, specifically the SLE78, which they implement in their products as the Optiga Trust M. They assure customers that their seed backup is safe, but they fail to mention that the ECDSA private key is the information being stored, which could be seen as misleading to their customers.\n\nMy research shows that Ledger, Coldcard, and OneKey use secure elements from different manufacturers.\n\nColdcard uses two different secure elements from separate manufacturers. One of them is Microchip's ATECC608, and recently, the company was reportedly affected by malware, compromising some internal information. However, there is currently no information regarding the full extent of the impact.\n\nReference links below:\nSecure element vulnerability: https://ninjalab.io/eucleak/\nMicrochip's cyberattack: https://bleepingcomputer.com/news/security/microchip-technology-confirms-data-was-stolen-in-cyberattack/\nhttps://sec.gov/Archives/edgar/data/827054/000082705424000181/mchp-20240904.htm",
"sig": "ea6a8e65978380c164562fcf8666dcf18c908a5ea83ee64ad47f53ce0d319bbc87a5fbb861869f2a1fb3ef62df2526fef1f0bd713ed4b55b5a8f49279fd6c5c5"
}