Topic: Trezor or Ledger !! (Read 347 times)

Fair answer, I must confess.  What about the coming Ledger nano s+? Would you trust it knowing that  a few years ago the 15-years-olf kid has managed to breach the security of  that wallet pretended to be safe? I think both old cases  are similar. For me the design of Ledger nano is much worse than that one of Lilipall Titan which I'm intended to buy to replace my old Ledger nano s.

It's the safest device in the universe since the beginning of time... and now they have it inside metallic cage like in medieval times, so it must be 1000% safe and secure (not).

For the sake of experiments, I propose that we all make a donation (popular topic nowadays) to purchase one of this Titan device and pay someone to open it, just so that we can see what's inside.
I think it's totally worth the effort, even if that means device will self destruct, or maybe only delete something from it's memory.
Imagine opening this metal case and we find inside exact same android components and more interesting stuff to report, hack we maybe we even get paid by Ellipal team.  

The difference is the attack on the Ledger device did not allow someone to extract the private keys or steal the coins on the device unless the owner unlocked the device, unlike the attack on the Ellipal device. It has also long been patched and is no longer a concern. Still, I don't trust Ledger devices either now given their also very amateurish behavior as a company, their disregard for the safety of their customers' information, and their willingness to compromise security and privacy in the name of making profits.

I've not seen any in depth analysis of the Titan and its hardware, good or bad. However, I have little faith in a company which puts a new cover on an Android phone and calls it a hardware wallet. Even if the new Titan has addressed many of the issues raised, their past behavior is very amateurish and I wouldn't trust their new device, especially given it is closed source.

No, but I don't trust a company which is supposed to be focused on privacy and security and wants to risk both by collecting KYC data. It's completely antithetical to what they are supposed to stand for. And even if you don't want to use the card, you still have to use Ledger Live and submit to all the third party data sharing which comes with it.

To be fair, they (or Baanx) will have your KYC details if you submit your KYC details. You don't have to, and you don't have to use their upcoming debit card either.

That would be my choice If I needed a new hardware wallet tomorrow. Although, that tomorrow won't come before February 2022 when the pre-orders will start to be shipped out. That's the idea anyway. The passphrase adds an additional security layer and it's recommended to use one no matter if there is a Trezor seed extraction vulnerability or not.

To be honest, they claimed the same thing a few years ago when they were selling a PCB based on a MediaTek SoC from a cheap smartphone disguised as a "most secure" hardware wallet. That was long before Ellipal Titan was developed.

source: https://web.archive.org/web/20180918182353/http://www.ellipal.com:80/ (18 Sep 2018)

I am not trying to convince anyone thick skull about anything, and if you are happy with closed source phone lookalike crap, with totally unknown components hidden inside, no secure element, coming from Hong Kong, with fake most-secure label, than go ahead and use it.
Btw old Ellipal is not some 100 years old device from distant past, it was developed and sold just two years ago, and new device is exactly the same shit in new metal package.
I also found some interesting reviews:

https://www.hardware-wallets.net/ellipal-titan-review/

Ellipal = Zero transparency.
End of discussion for me about this Ellipal Junk.

LOL!
Incredible...
My guess is it was easier (cheaper) to buy something like that (maybe old stock) than project and order a new board. And probably firmware, drivers comes for free ;-)

Always look at the bright side of life - maybe it will be possible to play Doom at your hardware wallet.

Ledger Donjon did an indepth analysis here: https://donjon.ledger.com/Ellipal-Security/

Not only is it an Android phone underneath, but many of the capabilities of an Android phone, such as WiFi and booting to factory testing mode were only prevented by Ellipal's software and were easily re-enabled. They could dump the flash, which included the private data of the user which could then be bruteforced for their private keys. It would also be trivial to replace the software with something malicious which uses pre-generated seed phrases or leaks data over the now-enabled WiFi chip. All things considered, I wouldn't touch this device.

Yeah, this is pretty much what I'm doing now, and I can't see myself moving back to hardware wallets for any significant amounts of funds for a long time yet.

I have proof from 2019 made by Ledger Donjon team (they said this device is quite similar to a low-end mobile phone) when they extracted seed from old Ellipal wallet, and you can see how it looks inside .
This is probably one of the worst junk I ever saw used in hardware wallets, and I am sure nothing much is changed from inside with their new ''Titan'' version with metal enclosure.
Cellular technology EDGE; GPRS!?, HSPA+, Bluetooth, Wi-fi, GPS.... all inside Ellipal wallet, even FM radio if you get bored and want to listen some music on Ellipal  


https://donjon.ledger.com/Ellipal-Security/

PS
To be as objective as possible, I am posting reply written by Ellipal developers in December 2019:
https://www.ellipal.com/blogs/news/ledger-donjon-vulnerability-study-and-the-development-of-the-ellipal-titan?_pos=1&_sid=47f3caf51&_ss=r

I would also choose neither of them at this moment, ledger because of known reasons you mentioned and many other issues with their devices.
I wouldn't buy Trezor know until they release new device with secure element, and I would buy it only if the price is somehow reasonable.
Good alternative option is always doing cold storage with your old computer/laptop that has fresh Linux OS and disabled any internet connection.

Ellipal is just a smartphone repackaged into hardware wallet, I think that someone even found inside device there is all elements for wi-fi, bluetooth, and internet connection. 
Besides that, Ellipal is closed source, it's not supporting multisig setup, not supporting 3rd party wallets like Electrum, and I am not sure if they even started to support Segwit addresses... 

For a while I would have said either Trezor or Ledger is fine.

Then it was discovered that Trezor devices have an unfixable vulnerability which allows someone with physical access to the device to extract the seed phrase. So I would have said go Ledger.

Then Ledger leaked a million customers' personal information and were less than forthcoming with the details. So I would have said go Ledger only if you can buy anonymously (which, to be fair, has always been good advice).

Now Ledger are trying to turn themselves in to a KYC collecting bank/exchange/debit card provider, which is terrible for the privacy and security of your coins. So now I say go Trezor but make sure you use a long a complex passphrase to mitigate against the above attack.

Ideally, I would say get neither and start exploring other options. Personally, I've pretty much abandoned hardware wallets for the time being until I find a device and company which don't have significant flaws/bugs/vulnerabilities as above (or until Trezor release a new device which fixes the above vulnerability).

Why do you choose between Trezor and Ledger, discarding other options?

At the moment, a lot of companies produce hardware wallets that can satisfy the needs of every customer.

I would not buy Trezor, because they have never lost data of users and they still have to do it

I would choose Ledger as they have already leaked their users' data and have now taken every precaution to prevent this from happening again. Oops, they did it 2 times, which means that now their protection is super reliable  

I'm kidding, of course. You will have to make the choice yourself from the list of those devices that are on the market now. Above already gave you a link to a topic on this forum. Just study.

This is really a "Coke or Pepsi?", "PC or Mac?", "X or Y?" type question... with no real right or wrong answer.

You're going to fine proponents of both... and users that dislike both, for a variety of reasons. I have both, and find that they're pretty much equally capable, and cost about the same when I originally bought them. They both had their pros and cons.

At the end of the day, you'll need to look at all the features of both, and likely the price point + shipping and make a determination as to which works best for you personal situation. While I would struggle to currently recommend Ledger due to the quality issues they have had of late, if the choice is between no hardware wallet or a Ledger, then I'd say, get the Ledger.

But don't necessarily ignore other wallets like Coldcard or BitBox either.

We are really spoiled for choice these days... and that is always a good thing!

Those are already Centralized Exchanges (CEX), when the risks are higher but you get to stake POW coins which is not possible on hardware wallets

You have a point, but based on my limited knowledge of the field in question, most of the ones I've seen were limited to POS ^{[with the exception of a few (e.g. Kraken)]}.

I can't give you a definitive answer, but I did manage to find a Reddit link ^{[Ledger staking, higher fees?]} and judging by "its last comment", they have the exact same fees.
^{- Assuming that it's true, then that could be one of its advantages over Trezor, but I still wouldn't recommend getting one in 2021!}

I have heard about BOLOS but I have to admin that I never took the time to look up what it meant. When I saw the user mention the term, I thought it was just a bunch of words he put together my mistake. My bad!

I wonder how their staking platform performs when compared to other staking options in terms of rewards, and if Ledger gets a percentage of each sum that is paid out? If you use their swaps platform for example, you get worse rates than if you visited the official website and performed the swap there.   

At least you have a physical exchange. I have to trade mine online

Yea man, back then we were busy mining on laptops and PCs, they weren't taken "seriously" as they are now. I remembered buying some BTCs but didn't really think of the price appreciation. Simply chucked some chump change out of curiosity and somewhat forgot about them until the end of 2017.


Color me surprised as well! That's a selling point, but if your coins are POW (e.g. Bitcoin) then 😅

Trezor ^{[@dkbit98 already covered the details]}!

That part sounded like you're a shill!

As a Trezor user who has never hodled intentionally, I have to disagree with how you've generalized users, solely by their hardware wallet choices!

You could've achieved that with Ledger as well: EARN MONEY BY HOLDING CRYPTO ASSETS
^{- I'm not sure when they've introduced that feature exactly!}

Mostly online transactions, but when I want to sell BTC then I visit one of the physical exchanges available to me - unfortunately I don't have any physical store nearby that accepts BTC.


When I started 2014 and the price was below $1000 and then it fell below $200 - it was possible to collect very nice amounts on faucets, and so I earned my first BTC. It was a time of opportunity, and the waste of time as some called it paid off

I have to admit that it was a completely different time, because given the price of BTC most people didn’t care too much about the safety of coins, although the Trezor made its first model just in early 2014. It took years for hardware wallets to become interesting to the wider crypto community, and I think I only bought the first device in 2018.

That's nice! You mean like when you're outside or online transactions?

Well, it'd be easy for those that managed to keep during the early days. Imagine trying to reach the 1 BTC club, would be a major achievement for most of us haha.

You’ve chosen what you think is the best choice, and in the end, it may turn out that you were smarter than all those who use hardware wallets for secure storage. Nothing in this world is 100% safe, and neither are hardware wallets - and in my opinion, the best method for long-term storage is a properly made air-gapped wallet.


I also use Bitcoin as a currency on a regular basis, and sometimes I sell a small portion when I want to buy something that I would not otherwise be able to buy. It’s good if a person finds a measure between spending and saving, and with Bitcoin, it really makes sense given that its value has increased incredibly over the past 5 years.

While there are definitely instances of compromised units, which is the sole reason it's advised to buy from Ledger themselves,

I wouldn't say the unit itself is exploit-free, because there are always people finding ways to force their way into things. Here's an article which mentions Ledger being aware of it in 2019 and released a fix

https://decrypt.co/37651/ledger-exploit-makes-you-spend-bitcoin-instead-of-altcoins


It wasn't sarcasm, as what I'm doing is indeed against the whole principle

And I'm not forcing everyone to ditch hardware/ cold wallets altogether; their coins their rights.

On a side note, good to know that you have the ultimate patience! Many would have sold the moment they see some sweet gains.

He is probably thinking of this: Blockchain Open Ledger Operating System.


However, I agree that this is not enough to claim that Ledger devices have "open source security" since their most important component, the secure element, is still closed source.

I am a long-standing Ledger user myself and pretty satisfied with my purchase, but If I needed a new hardware wallet today, I would go for a Trezor. Ledger has let the community down several times by not admitting the extent of the database leak and producing faulty devices. I don't think Trezor or any other company would have handled it any better because it's business and protecting your face and interests above all. Trezor also doesn't like discussing the unfixable seed extraction vulnerability, but I think it is something that should be part of their starting manual and onboarding process. Like I said, protect your interest above all.   

Not exactly sure what this is supposed to mean.

They were both created for the same purpose. There is no reason to think that hodlers use Trezor for long-term storage, but they work with a Ledger for everyday transactions. Usually it's either one or the other.

And what features would that be that we don't care about?
 
Most people wouldn't be able to name 50 different coins even if they had a gun pointed to their head. So those numbers mean nothing. Besides, both Ledger devices support the same coins. On Trezor, it's the other way around. The Model One doesn't support all coins that the Model T does.

Ehh, what? I am not sure what a "Blockchain open Ledger Operating system" is, but the difference between the two is that Ledger uses a secure element which is closed-source. You cannot reproduce it because the code is not public. Trezor, doesn't have a secure element at all and is reproducible and open-source.

Ledger and Trezor  Wallet are both recommended for anybody who doesn't care much about their features but needs to save their funds on a safe zone. Ledger wallet supports more coins upto 1800 cryptocurrency while Trezor supports about 1600 kinds of coins. So, anybody who cannot find the coins which they hold on Trezor will likely get recommended to use Ledger despite any dispute that may be related to the hardware wallet.

On the other hand, security is one big criterion that every user must get wary about. Ledger has an open source security known as Blockchain open Ledger Operating system which can be accessed by anybody that knows how to check for vulnerability. This helps the platform to keep up with the strength of their hardware against attacker.

Whereas, Trezor does not have an open source security but only operates on their own security. It's the few cents I can offer about these hardware wallets.

On every leak from hardware wallets I can show you hundred times more examples of leaks and hacks from centralized exchanges, including Binance, Kucoin and Mt.Gox.
I wouldn't suggest anyone to follow your dumb example, and I would NEVER use or purchase hardware wallet from anyone.

Just know that Ledger Nano has a close source secure element. I will prefer to go for an open source wallet.

Also know that Trezor is open source but not having secure elemen, this makes it vulnerable to physical attack that can reveal seed phrase of the Trezor wallet to attackers. If prefering to buy it, it will be better to use passphrase with it, with passphrase, new keys and addresses will be generated. But, note that you will need your passphrase along your seed phrase anytime you want to recover back your wallet. If the seed phrase or the passphrase is lost, the funds are gone, both must not lost but properly backup offline.ljme on paper in different locations.

Any information you leave online is susceptible to being hacked or leaked. This has nothing to do with the security of the offline hardware wallet devices. It is the nature of the modern internet, and it means that cold storage is actually a far safer choice.

This is the data that appeared first, but later Ledger admitted that there were as many as 292 000 users whose personal data were hacked and later made public. The extent of this damage is therefore far greater, and unfortunately does not diminish with time.


There is no need for sarcasm, your coins, your right to keep them any way you want. While the possibility of earning interest seems tempting to many, for me and many others it is simply too much of a risk for some 4% or maybe more per year. I’m just one old type holder who was here when 1 BTC was only worth about $200, so from a profit perspective I don’t mind keeping BTC in my HW with 0% risk and huge profits all these years

It’s your prerogative, but the idea that a hardware wallet is much safer than a custodial online wallet still prevails. The data breach did not weaken the device’s security, but rather opened a window for targeting Ledger owners through targeted campaigns, most of these were some sort of phishing attempt. Dreadful set of events, which should not have taken place, but not directly weakening the strengths of the device per se, albeit conceptually affecting owner’s overall security. 

Some more costly malicious campaigns, with a more delimited scope (not quantified), tried out something different, like the case depicted on the article you reference. The basis used there was using a physically tampered Ledger device to essentially camouflage an enclosed flashdrive, bearing some phishing software that would ask you for your mnemonic (similar to those sites we’ve seen multiple times requesting this information pretending your device was faulty, and that it was a necessary recovery procedure). Of course, the information leak allowed for the attack to be targeted, and crafted with a gullibly plausible explanation as to why you should use the bootleg device to replace his existing device. Nevertheless, this is not a vulnerability of the existing Ledger devices themselves itself at all, and no new exist of this being a widespread semi-counterfeit practice.

Well worth reading threads there.

Yep, I committed a cardinal sin by disregarding that statement. I'm aware of the risks, but I'd rather earn interests aside from price appreciation. So far the wallets I parked my funds in are insured so if anything happens, at least there's some form of compensation.

I do have some coins kept on exchanges, as the rates are better + choices are limited. But they're shitcoins so I don't really care much.



About the hacks, one didn't involve any social engineering though, rather within the software itself:


Another one was a data leakage for those that registered on Ledger's website which involved residential addresses, quoted through the same source as above.

A strange decision since we keep repeating the golden rule that reads "not your keys, not your coins". I hope you are aware of the risks arising from storing cryptocurrencies on online crypto wallets/exchanges. Mt.Gox and Quadriga were not a sufficient warning , along with some other lesser known hacks and exit scams.


Any vulnerability discovered so far required physical access to the hardware wallet, and I am not aware of anyone reporting such hacking. Hacking through social engineering and phishing is something completely different, it has nothing to do with the security of the hardware wallet but with users who are not aware of how these devices work. If you don't expose your seed or become a victim of clipboard malware, I don't see how anyone will hack your HW.

I used to own a Ledger Nano S, but sold it after I preferred leaving them inside online wallets.

Also, offline wallets are not safe from hacks. Some time ago, Ledger suffered some data breach, as well as a hardware exploit

https://www.nasdaq.com/articles/inside-the-scam%3A-victims-of-ledger-hack-are-receiving-fake-hardware-wallets-2021-06-17

Don't waste your money buying closed source ledger nano x wallet, it's full of problems with batteries/firmware and I wrote more about in my Battery Pandemic topic.
In different topic I also explained why I would not buy ledger nano S wallet ever again, because of small Memory, cheap plastic and display, etc.

Trezor is open source and better hardware wallet in my opinion, but there are other options like you can consider during this black friday, like BitBox02, Keystone, Coldcard and few others that all have secure elements:
https://bitcointalksearch.org/topic/black-friday-deals-2021-5372140

Both devices have their purpose, to safely generate your seed, and to allow you to store your private keys in a secure environment as long as you are aware of all the possible risks that still exist. The best hardware wallet or cold storage cannot protect you if your backup (seed or private key) is not saved in a secure way (not in an email, cloud, or as a plain text document on your computer), and if you are not aware that there is something called clipboard malware which can change the coin address to which you send/receive cryptocurrency.

When it comes to the reputation of both companies, Ledger is certainly at a disadvantage here due to the massive leak of user data (which includes all personal data), which has angered many for a reason and encouraged them to look for an alternative.

Trezor on other hand has not had such problems, but their reputation has been tarnished with the detection of vulnerabilities that make it very easy to extract the seed if someone comes into the physical possession of the device. There is a way to prevent this by setting a passphrase or using an SD card on a Model T, but the fact remains that the vulnerability is irreparable on existing devices.


Perhaps the most important thing is not which HW you will choose from these two (both serve a purpose), but how you will buy them. It is safest to do this directly from the manufacturer, pay with Bitcoin and use the PO box to avoid giving out your personal information. Another option is to buy from an authorized reseller in a physical store and pay in cash.

For more information, I suggest you visit Hardware wallets

The choice of which to by is entirely up to your preference as the user as they are both good hardware wallets to use;

• Ledger is more user friendly and as such it would likely be the best option for someone who is trying out hardware wallets for the first time and also someone who is interested in diverse cryptocurrencies as it supports more altcoins,
• Trezor is completely open source as opposed to the former and this feature attracts some highly security conscious users,
• The price of both is also another factor someone could consider when choosing which to invest in, as well as the delivery options.

If you're holding large amounts of Bitcoin, regardless of the duration you plan to hold for, it is wise to invest in a hardware wallet for more security.

Which one is best to buy in 2021?

Trezor is legacy wallet as well Ledger is most integrated & preferred wallet.

According to me, Long Holders usually prefer Trezor & ledger is preferred for everyday transactions.

Now, let share information what you like to buy and why?