Ledgerโs Nano S Cryptocurrency Wallet Hacked By A 15-Year-Old Teenager
Saleem Rashid, a 15-year-oldย security researcher living in the UK,ย has discovered a serious vulnerability in Ledgerโs hardware crypto-wallets.
Ledger, is a French-based companyย that is famous for their โtamper-proofโ hardware wallets made for physical safekeeping of public and private keys used to receive or send the user’s cryptocurrencies.
Rashid published his findings in a blog post where he explains how he devised a written code that gave him a backdoor access into the Ledger Nano S, a $100 hardware device that is used by millions around the world.
Research by Rashid and two others shows that the vulnerability in the wallet allows an attacker to siphon the device’s private key physically before or even after the device is shipped and drain funds from the wallet without the ownerโs permission.
According to Rashidโs proof-of-concept, hardware wallets store these private keys and can be connected to a PC via a USB port. The attack targets the device’s micro-controllers, one of which stores the private key, while the other acts as its proxy to support display functions and the USB interface. However, the proxy microcontroller chip is less secure and can distinguish between original software programmed into a device and code written by an outsider.
To carry out the attack, the attacker must first have physical access to the cryptocurrency hardware wallet, so that he can then inject malicious software in it. Once the infected software is installed, the two chips pass information to each other and an attacker could compromise the non-secure microcontroller chip on the Ledger devices to run malicious code in stealth mode that can steal private keys.
The vulnerability discovered allows for both a โsupply chain attackโ, which means a hack that could compromise the device before it was shipped to the customer. On the other hand, another attack could allow a hacker to steal private keys after the device was initialized.
For the โsupply chain attack,โ the Ledger team wrote: โby having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller.โ
The team added, โIf you bought your device from a different channel, if this is a second-hand device, or if you are unsure, then you could be a victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is a proof that your device has never been compromised.โ
For the post-purchase hack, they wrote that it โcan be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo.โ
Ledger has issued a patch for the Ledger Nano S, four months after the initial disclosure, even though a patch for the โLedger Blueโ will not be available “for several weeks”,ย said Ledger’s chief security officer, Charles Guillemet (who spoke withย Quartz), as it’s not viewed as urgent.
“The issues found are serious (that’s why we highly recommend the update), but NOT critical,” said Guillemet. “Funds have not been at risk, and there was no demonstration of any real-life attack on our devices.”
Eric Larchevรชque, Ledger CEO claimed that there were no reports of the vulnerability affecting any active devices. โNo one was compromised that we know of,โ he said. โWe have no knowledge that any device was affected.โ
For his part, Rashid was disappointed with the speed with which Ledger responded to his claims. He said in his blog post that he had sent the code developed to Ledger โa few months ago,โ adding that he had not been paid a bounty for his discoveries.
As part of the blog, Rashid explains:
โBefore I get to the details of the vulnerability, I would like to make it clear that I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report.
โI chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevรชque, Ledgerโs CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of thi,s I became concerned that this vulnerability would not be properly explained to customers.โ
However, Larcheveque in his Reddit comments said that the security issue had โbeen greatly exaggerated.โ
โWhile possible, this proof of concept ranks by no means as a critical severity level and has never been demonstrated,โ he wrote.
โWe were in contact with Saleem for the last four months. It is incorrect to state that we did not reply to him or do anything. There were other vulnerabilities that came along at the same time and it was a complex vuln that was deep in the architecture of our system,โ he added. โAll systems have vulnerabilities. Thatโs part of the life of any security system. Itโs a game of cat and mouse.โ
Larcheveque blamed the teenager of becoming โvisibly upsetโ when the firm did not share the fix as a โcritical security updateโ and said his decision to go public had โgenerated a lot of panic.โ
Source: BBC