Ledger’s Nano S Cryptocurrency Wallet Hacked By A 15-Year-Old Teenager
Saleem Rashid, a 15-year-old security researcher living in the UK, has discovered a serious vulnerability in Ledger’s hardware crypto-wallets.
Ledger, is a French-based company that is famous for their “tamper-proof” hardware wallets made for physical safekeeping of public and private keys used to receive or send the user’s cryptocurrencies.
Rashid published his findings in a blog post where he explains how he devised a written code that gave him a backdoor access into the Ledger Nano S, a $100 hardware device that is used by millions around the world.
Research by Rashid and two others shows that the vulnerability in the wallet allows an attacker to siphon the device’s private key physically before or even after the device is shipped and drain funds from the wallet without the owner’s permission.
According to Rashid’s proof-of-concept, hardware wallets store these private keys and can be connected to a PC via a USB port. The attack targets the device’s micro-controllers, one of which stores the private key, while the other acts as its proxy to support display functions and the USB interface. However, the proxy microcontroller chip is less secure and can distinguish between original software programmed into a device and code written by an outsider.
To carry out the attack, the attacker must first have physical access to the cryptocurrency hardware wallet, so that he can then inject malicious software in it. Once the infected software is installed, the two chips pass information to each other and an attacker could compromise the non-secure microcontroller chip on the Ledger devices to run malicious code in stealth mode that can steal private keys.
The vulnerability discovered allows for both a “supply chain attack”, which means a hack that could compromise the device before it was shipped to the customer. On the other hand, another attack could allow a hacker to steal private keys after the device was initialized.
For the “supply chain attack,” the Ledger team wrote: “by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller.”
The team added, “If you bought your device from a different channel, if this is a second-hand device, or if you are unsure, then you could be a victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is a proof that your device has never been compromised.”
For the post-purchase hack, they wrote that it “can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo.”
Ledger has issued a patch for the Ledger Nano S, four months after the initial disclosure, even though a patch for the “Ledger Blue” will not be available “for several weeks”, said Ledger’s chief security officer, Charles Guillemet (who spoke with Quartz), as it’s not viewed as urgent.
“The issues found are serious (that’s why we highly recommend the update), but NOT critical,” said Guillemet. “Funds have not been at risk, and there was no demonstration of any real-life attack on our devices.”
Eric Larchevêque, Ledger CEO claimed that there were no reports of the vulnerability affecting any active devices. “No one was compromised that we know of,” he said. “We have no knowledge that any device was affected.”
For his part, Rashid was disappointed with the speed with which Ledger responded to his claims. He said in his blog post that he had sent the code developed to Ledger “a few months ago,” adding that he had not been paid a bounty for his discoveries.
As part of the blog, Rashid explains:
“Before I get to the details of the vulnerability, I would like to make it clear that I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report.
“I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of thi,s I became concerned that this vulnerability would not be properly explained to customers.”
However, Larcheveque in his Reddit comments said that the security issue had “been greatly exaggerated.”
“While possible, this proof of concept ranks by no means as a critical severity level and has never been demonstrated,” he wrote.
“We were in contact with Saleem for the last four months. It is incorrect to state that we did not reply to him or do anything. There were other vulnerabilities that came along at the same time and it was a complex vuln that was deep in the architecture of our system,” he added. “All systems have vulnerabilities. That’s part of the life of any security system. It’s a game of cat and mouse.”
Larcheveque blamed the teenager of becoming “visibly upset” when the firm did not share the fix as a “critical security update” and said his decision to go public had “generated a lot of panic.”