A 15-year-old IT security researcher Saleem Rashid has identified a set of three highly critical vulnerabilities in hardware cryptocurrency wallet Ledger that would allow attackers to compromise the device before even the user could receive it.
According to the proof of concept published by Saleem in his blog post, he infected the Ledger Nano S, a $100 (€82) hardware wallet with a backdoor that allowed him to access the device without any hurdle.
Saleem went on the explain that by exploiting these vulnerabilities malicious attackers can access PIN codes (secret/private keys) of users and empty their wallets by stealing every dime of their stored cryptocurrency without raising any suspicion – Simply put, Saleem conducted a “supply chain attack.”
Saleem maintains that these vulnerabilities were identified and reported to Ledger’s CTO Nicolas Bacca on 11th November 2017. On 14th November 2017, Saleem demonstrated practical supply chain attack and sent the source code the Bacca. On 6th March 2018, the company released a firmware update for Ledger Nano S wallets, however, patches for Ledger Blue are yet to be released.
But everything did not go smooth, in a tweet sent out by Saleem he denied allegations that he is affiliated with Leger competitor Trezor. He tweeted that as an independent security researcher he has only done security-related research work for Trezor and others.
— Saleem "Unhackable" Rashid (@spudowiar) March 20, 2018
In response to Saleem’s findings, Ledger Team said that in order to carry out the attack, hackers require physical access to the device or if the victim had bought a used or secondhand device.
“By having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller.”
“If you bought your device from a different channel, if this is a second-hand device, or if you are unsure, then you could be a victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is a proof that your device has never been compromised,” said the team.
While addressing the isolation attack (after purchase attack) the company stated that “This attack can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo.”
This is not the first time when Ledger is in the news for all the wrong reasons. In February this year, a group of security researchers revealed that all Ledger hardware wallets were vulnerable to man in the middle attack.