Ledger: Recently Discovered Wallet Vulnerabilities Not Critical

Published at: Dec. 28, 2018

Ledger claimed that recently uncovered vulnerabilities in its hardware wallets are not critical in an official Medium blog post on Dec. 28.

Yesterday at the 35C3 Refreshing Memories conference in Berlin, researchers claimed that they were able to hack the Trezor One, Ledger Nano S and Ledger Blue cryptocurrency wallets.

In the post, the company explains that there appeared to be “three attack paths which could give the impression that critical vulnerabilities were uncovered,” but according to them “this is not the case.”

The reason Ledger says that the vulnerability is not critical is that “they did not succeed to extract any seed nor PIN on a stolen device” and “sensitive assets stored on the Secure Element remain secure.”

According to the company, the Ledger Nano S vulnerability “demonstrated that physically modifying the Ledger Nano S and installing malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin (BTC) app is launched.”

This, Ledger claims, is “quite unpractical, and a motivated hacker would definitely use more efficient tricks.” While the researchers claimed that the vulnerability allowed them to “send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves” Ledger denies its, stating:

“Their firmware runs snake on the MCU in Bootloader mode. This means that you have to push the left button at boot and the Secure Element does not even boot.”

Ledger also claims that the demonstration of the Ledger Blue attack is “a bit unrealistic and not practical,” claiming that “the position of the receiver and the attacked device must be exactly the same,  the position of the USB cable is also paramount (as it acts as an antenna).”

The post stated that “if the conditions are not exactly the same, the machine learning classifier won’t work properly.” For this reason, Ledger concluded:

“This attack is definitely interesting, but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).”

Furthermore, because of this vulnerability, Ledger stated that the next Ledger Blue firmware update will feature a randomized keyboard for the pin.

The company also stated that they “regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.” According to Ledger “in the security world, the usual way to proceed is responsible disclosure. This is the model in which a vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users.”

In November, Ledger announced its expansion to New York in order to develop its institutional custody offering Ledger Vault. Moreover, the company also recently signed an agreement with crypto payment startup Crypto.com to allow users to pay for its products with cryptocurrencies.

Tags
Related Posts
Research Team Demonstrates Hard Wallets Vulnerabilities, Trezor Promises Firmware Update
Researchers have reportedly shown how they were able to hack the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. The demonstration of the hacks was published in a video on Dec. 27. The research team behind the dubbed “Wallet.fail” hacking project is made up of hardware designer and security researcher Dmitry Nedospasov, software developer Thomas Roth and security researcher and former submarine officer Josh Datko. During the conference, the researchers announced that they have been able to extract the private key out of a Trezor One hardware wallet after flashing — overwriting existing data …
Blockchain / Dec. 28, 2018
Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets
Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11. As of press time, Trezor was not immediately available to comment on Ledger’s findings. The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended. The first issue is related to …
Blockchain / March 11, 2019
Ledger Commits to Remedying Nano S Update That Decreased Storage Capacity
French cryptocurrency hardware wallet company Ledger published a post on its official blog on Feb. 14 apologizing for issues with a recent firmware update for its Ledger Nano S. Specifically, the update reportedly decreased the device’s storage capacity, which the firm has promised to remedy. “This was not planned obsolescence, simply put, we messed up. We apologize and we’re committed to making it right,“ the post states. Some users had interpreted the firmware version 1.5.5 update as a way to bring planned obsolescence to the Ledger Nano S. The reason for the suspicion is that the update was released shortly …
Blockchain / Feb. 15, 2019
Coinbase Wallet extends support to Ledger hardware wallet
Coinbase Wallet, an in-house wallet service offered by prominent crypto exchange Coinbase, has rolled out browser extension support for Ledger hardware wallets. The Coinbase Wallet extension, available in the Chrome Web Store, is a noncustodial wallet that allows users to store and transact cryptocurrencies and nonfungible tokens (NFT). By adding support for Ledger, Coinbase users can opt to use a physical Ledger device to store the private keys to their wallets offline. Coinbase senior product manager Adam Zadikoff highlighted the development as being a means to providing an additional layer of security and greater peace of mind for users. He …
Blockchain / Feb. 22, 2022
What is a seed phrase and why is it important?
How to keep your seed phrase safe A crypto seed phrase in the wrong hands can do damage, so it is advisable to always ensure it is safe. The following are some tips for ensuring your seed phrase is secure. Never share your seed with anyone else: It’s extremely important that you never reveal your recovery phrase to anyone. Why? Because if someone else finds out your recovery phrase, they will be able to access — and therefore control — your crypto funds. Make a note of it on paper and keep it in a secure location: This is the …
Blockchain / Aug. 27, 2022