• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 19th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Hacking News
News

Teen Hacks Ledger Hardware Cryptocurrency Wallet

March 22nd, 2018 Waqas News 0 comments
Teen Hacks Ledger Hardware Cryptocurrency Wallet
Share on FacebookShare on Twitter

A 15-year-old IT security researcher Saleem Rashid has identified a set of three highly critical vulnerabilities in hardware cryptocurrency wallet Ledger that would allow attackers to compromise the device before even the user could receive it.

According to the proof of concept published by Saleem in his blog post, he infected the Ledger Nano S, a  $100 (€82) hardware wallet with a backdoor that allowed him to access the device without any hurdle.

Saleem went on the explain that by exploiting these vulnerabilities malicious attackers can access PIN codes (secret/private keys) of users and empty their wallets by stealing every dime of their stored cryptocurrency without raising any suspicion – Simply put, Saleem conducted a “supply chain attack.”

Saleem maintains that these vulnerabilities were identified and reported to Ledger’s CTO Nicolas Bacca on 11th November 2017. On 14th November 2017, Saleem demonstrated practical supply chain attack and sent the source code the Bacca. On 6th March 2018, the company released a firmware update for Ledger Nano S wallets, however, patches for Ledger Blue are yet to be released.

But everything did not go smooth, in a tweet sent out by Saleem he denied allegations that he is affiliated with Leger competitor Trezor. He tweeted that as an independent security researcher he has only done security-related research work for Trezor and others.

In the interests of full disclosure: I own a @TREZOR. I also own a @DigitalBitbox.

I have contributed to the open source @TREZOR firmware in the past and I have worked as a contractor for @NEMofficial to implement $NEM support for TREZOR. 2/

— Saleem "Unhackable" Rashid (@spudowiar) March 20, 2018

In response to Saleem’s findings, Ledger Team said that in order to carry out the attack, hackers require physical access to the device or if the victim had bought a used or secondhand device.

“By having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller.”

“If you bought your device from a different channel, if this is a second-hand device, or if you are unsure, then you could be a victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is a proof that your device has never been compromised,” said the team.

While addressing the isolation attack (after purchase attack) the company stated that “This attack can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo.”

This is not the first time when Ledger is in the news for all the wrong reasons. In February this year, a group of security researchers revealed that all Ledger hardware wallets were vulnerable to man in the middle attack.

Although 100% security is a myth, hardware wallets are still an affordable and secure option for storing cryptocurrencies as compared to storing funds online.

  • Tags
  • Bitcoin
  • Cryptocurrency
  • Ethereum
  • hacking
  • Ledger
  • Monero
  • Money
  • security
  • Technology
  • Trezor
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article Vivaldi browser puts DuckDuckGo as default search engine for private windows
Next article The Pirate Bay is Down Again for the 3rd Time in a Week
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
1-click code execution vulnerabilities in popular software apps

1-click code execution vulnerabilities in popular software apps

Facebook ads dropped malware posing as Clubhouse app for PC

Facebook ads dropped malware posing as Clubhouse app for PC

Hackers exploiting critical vulnerabilities in Fortinet VPN - FBI-CISA

Hackers exploiting critical vulnerabilities in Fortinet VPN - FBI-CISA

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
WhatsApp Pink is malware spreading through group chats
Security

WhatsApp Pink is malware spreading through group chats

A hacker claims to be selling sensitive data from OTP generating firm
Hacking News

A hacker claims to be selling sensitive data from OTP generating firm

1-click code execution vulnerabilities in popular software apps
News

1-click code execution vulnerabilities in popular software apps

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us