Ledger, a company known for its hardware wallets, is moving Bitcoin security to your phone. The Ledger Trustlet runs inside a trusted execution environment (TEE) on smartphones, a protected zone withi
Ledger, a company known for its hardware wallets, is moving Bitcoin security to your phone. The Ledger Trustlet runs inside a trusted execution environment (TEE) on smartphones, a protected zone within the application processor that keeps cryptographic keys away from the phone's main operating system. The TEE works as a self-contained security zone, walling off sensitive operations from the broader Android operating system and anything else running on the device. The Ledger Wallet Nano, the company's existing hardware wallet, has gained traction for combining strong security with usability. Now the company wants to bring that same security model to the phone itself. The combination of security and convenience has eluded wallet makers for years, but the Trustlet's approach could shift that balance.
How secure is it? Users will want to understand how the system works before trusting the Ledger Trustlet with their Bitcoin private keys. Ledger CEO Eric Larchevêque explained the Trustlet's security architecture to Mining Pool in detail. "You can see the Ledger Trustlet as a fully virtualized hardware wallet. The code running inside the TEE is exactly the same than the [Ledger Wallet] Nano's firmware, modulo of course the OS layers (for example we're using Gregory Maxwell and Peter Wuille's secp256k1 library for elliptic curve cryptography). Regarding software attacks, if implemented right, the TEE provides a full hardware isolation from malware — the application running inside cannot be observed, and peripherals, such as the screen, cannot be observed either when locked by the TEE," he said.
The approach mirrors Ledger's successful Nano wallet but replaces physical hardware with cryptographic isolation. Everything the Trustlet does matches the standalone device's firmware, with adjustments only for the phone's operating system layer.
Physical attacks present a different challenge than software threats. "Regarding hardware attacks, the TEE provides less protection than a smart card, but more than a typical microcontroller. Therefore, by using the Trustlet, you get a level of security certification close [to] a smart card: the secrets are hard to access from the outside world, extremely hard for a malware at the Android OS level, and reasonably hard for a physical attack," Larchevêque said. A standalone smart card tops the security ranking for physical resilience, but the Trustlet sits above commodity hardware in the middle. Because these technologies are still new, Ledger wants security researchers to test the Trustlet early and thoroughly.
The Trustlet works on Samsung Galaxy S6 and Galaxy Note 4 phones today. "More models from Samsung and other models from different manufacturers will be announced this year," Larchevêque said. The company expects the technology to spread beyond Samsung to other Android device makers later in 2015. Android malware has been expanding, making it riskier to hold substantial bitcoin amounts on a standard smartphone where any application might steal keys. The protected execution environment changes that calculation by moving the most sensitive operations—the ones that sign transactions—into an isolated zone that malware cannot touch.
Larchevêque sees potential for the Trustlet as core Bitcoin infrastructure going forward. "It is certainly a big part of the future. Hardware wallets are, in a way, personal signing devices, and you may not want to have something else than your phone with you [to complete the signing process]. Moreover, TEE can leverage cameras and/or biometrics if necessary. For enterprise multi-signature or crypto assets transaction validation, the Ledger Trustlet is an ideal candidate," he said. The CEO envisions the technology enabling biometric authentication or camera integration, both natural fits for smartphone hardware. For businesses managing multiple signature wallets or handling complex crypto asset transactions, the Trustlet offers an interesting option.
Will the Trustlet eliminate traditional hardware wallets? No. "There will always be a strong market for hardware wallets. The ubiquity of use as well as the possibility to physically separate your assets from your phone or laptop is something users value," Larchevêque said. Some users want their most important bitcoin holdings stored on a device that never connects to the internet, and nothing about a smartphone changes that preference. A laptop or desktop always runs online, and a smartphone even more so. The separation that comes with a dedicated device appeals to serious holders. A complete approach might combine the Trustlet for daily transactions and smaller amounts with a hardware wallet for longer-term storage and substantial holdings.
