íàçâàíèå

15-Year-Old Security Researcher Shares Ledger Wallet Exploit


Hardware wallet manufacturer Ledger has published a firmware update to remedy several security flaws. The exploits were independently found by a trio of white hat security researchers, one of whom, Saleem Rashid, is a 15-year-old British boy. The attack vector he discovered is hardware based, and is not limited to Ledger devices, making it difficult to mitigate altogether via software alone.


Ledger at Loggerheads with Security Researcher Who Found Flaw

On March 20, Ledger released an update to its firmware, 1.4.1, accompanied by a blog post that promised “a deep dive into security fixes”. It began: “Following a transparent and responsible disclosure process, we are giving a full detailed assessment of the fixed attack vectors that the Firmware 1.4 patches, which were initially reported by three security researchers. As the publication of these technical details might elevate the threat level of non-patched devices, we strongly encourage our users to update their firmware”.

It is the exploit discovered by Saleem Rashid that’s gathered the most attention, both on account of his tender age, and his publication today of a detailed explainer on how he achieved the feat. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely,” Rashid explains. “I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.” He also told a security blog that “[Ledger] make it so easy to open the device that you can take your fingernail and open it up [to tamper with it]”.


White Hat Hacker Forgoes His Bounty

Ledger says the security researchers were asked to sign a Bounty Program Reward Agreement as one of the conditions of being remunerated for their efforts, while noting that this doesn’t prevent the researchers from publishing their own reports. The article is worded in such a way as to suggest all three researchers were happy to comply with this agreement, but that’s not entirely true. Rashid actually forwent his bounty reward, explaining:

I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report. I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchev?que, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.

The teen researcher is of the opinion that Ledger were seeking to downplay the seriousness of the exploit he’d uncovered. Publishing a full and frank report of how he broke the Ledger wallet, and giving up his right to a reward, hasn’t done his reputation or his Twitter follower count any harm either. Saleem Rashid is clever beyond his years, and his article on the exploit is lengthy but fascinating for anyone with an interest in such matters.


Your Cryptocurrency Hardware Wallet Is Safe

One matter in danger of getting lost amidst all this is the status of Ledger wallets. Cryptography teacher Matthew Green posted a tweetstorm in response to Rashid’s blog, exploring the difficulty of fully preventing hardware-based attacks of this nature. He finishes, reassuringly: “Nothing in the post or thread above means you should freak out about these vulns, or that you should assume other wallets are better. Just be safe.” Ledger users should update to the latest firmware, but there is no cause for alarm. Attacks such as the one demonstrated by Saleem Rashid show the difficulty of creating a device that is immune from all known forms of attack.

20.03.2018 / 15:00 93
Demand For Bitcoin Hardware Wallets Rise in South Korea, as Users Develop Awareness Demand For Bitcoin Hardware Wallets
According to security-focused researcher Kim In-soon at South Korea’s ETNews, the demand for bitcoin hardware wallets is increasing rapidly in South
Microsoft Labels Malicious Crypto Mining an ‘Increasing Threat’ as Ransomware Attacks Drop Microsoft Labels Malicious Crypto
Microsoft has released a blog post discussing the emerging threat of malicious cryptocurrency miners. The post from the Windows Defender Research
Ponzis and Death: The Stranger Ways to Lose Your Crypto Ponzis and Death: The Stranger Ways to
Bitcoin Ponzi scams are raking in millions - all without much effort. That may be self-explanatory to those who traffic the social media forums where
Report Alleges Egyptian Government is Secretly Mining Cryptocurrencies on Citizens’ Devices Report Alleges Egyptian Government is
An investigation by The Citizen lab has found evidence that Egyptian authorities are mining cryptocurrencies on citizen’s computers and laptops.
Japans Finance Giant SBI Buys 40% Of Taiwanese Crypto Hardware Wallet Company Japans Finance Giant SBI Buys 40% Of
Japanese financial giant SBI continues its cryptocurrency ventures with a 40% investment in Taiwanese hardware wallet manufacturer CoolBitX. Japanese
First Bitcoin Cash Ransomware Makes It Impossible to Decrypt Files First Bitcoin Cash Ransomware Makes It
Ransomware extortionists have seemingly started using Bitcoin Cash (BCH) for ransom payments as well, according to a report published by Bleeping
Comments (0)
Add a comment
Comment on