Ledger hardware wallet that is currently operating in the cryptocurrency market is vulnerable to cyber attacks. The vulnerability was identified by unknown security researchers in every single hardware wallet that allows cybercriminals to show fraudulent addresses to Ledger users/customers. When funds are requested to these addresses, the cryptocurrency is transferred to the attacker’s wallet instead of the user. Needless to say that the user will end up losing their funds.
Hardware wallets are usually considered the safest option for storing cryptocurrency but the one million users who have been affected by the newly identified threat to Ledger’s hardware wallets makes it evident that even these cannot offer foolproof protection.
The flaw was acknowledged by Ledger on February 3rd via a Tweet on its official Twitter account where the company also shared a report [PDF] that described the vulnerability in details. The report stated that a Ledger wallet creates a brand new address every time a payment is to be received but through man-in-the-middle attack, while the user is trying to generate this address in order to transfer cryptocurrency to their wallet, the amount would be transferred to a fraudulent address if the computer is infected with malware.
After compromising the computer, the attacker can secretly replace the code that generates the unique address, which causes the problem of depositing the funds to the attacker’s wallet. “An attacker could be in control of your computer screen and show you a wrong address which would make him the beneficiary [sic] of any transaction sent to it,” the report highlighted.
The report mentions that to prevent attack users must verify whether the wallet address is correct or not before transferring funds. This can be done by clicking on the button under the QR CODE. This button will display the address of the hardware wallet and users will be able to verify the address.
The report also explained that the module is not applicable on the Ether wallet interface from Ledger since the Ethereum app does not have mitigation and hence, the user cannot verify if the address is correct or incorrect.
Therefore, authors of the report, who haven’t been named by the company as yet, suggest that “If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software-based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At least until this issue receives some kind of fix.”
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) February 3, 2018
The security researchers who identified and reported the vulnerability to Ledger also revealed that the company had a non-serious attitude towards their findings. “We contacted the CEO and CTO of Ledger directly in order to privately disclose and fix the issue. We’ve received a single reply, asking to hand over the attack details. Since then, all our mail have been ignored for 3 weeks, finally receiving an answer that they won’t issue any fix/change,” said researchers.
“CTO of Ledger replies that no fix/change would be done (our recommendation to enforce the user to validate the receive address has been rejected), but they will work on raising public awareness so that users can protect themselves from such attacks,” researchers concluded.