íàçâàíèå

15-Year-Old Hacks Hardware Crypto Wallet Ledger

15-Year-Old Hacks Hardware Crypto Wallet Ledger

Hardware wallet Ledger Nano S had a break in – teenage security expert, Saleem Rashid, found an issue with the “tamper-free” wallet. The story began on Nov. 2017, when Rashid reported a flaw to Ledger CTO, Nicolas Bacca, which could allow attackers to steal funds from wallet users.

Rashid had observed that the microcontroller employed in the wallet was not secure. While it allowed the use of buttons and displays to input data, it was connected as a proxy to the Secure Element (SE). The latter contained private keys which meant that a hacker could trick the SE in different ways. Here’s how: retailers and resellers could change microcontroller’s firmware which, now compromised, could verify its ‘identity’ to the SE. He further explained that the attacker could control the user interface and use their malicious code to set randomness to zero and add a recovery seed of their own choice. Rashid chose the word ‘abandon’ to prove his point in an uploaded video. Now that the attacker had the mnemonic phrase, they could get the private keys easily.

https://saleemrashid.com/assets/ledger-exploit-73ac411c441ba7fdea0d567237ca7f7b1e0e91fa8a2b2230eae5fc1dc90a3611.mp4

After Rashid sent the research to Ledger, he saw that the flaw wasn’t taken seriously by the team. However, they did publish a firmware update on Mar. 6, which was heavily criticized by Rashid. He posted his opinions on Twitter, since he believed that the team should either have posted it as a critical update or disguised it so that hackers didn’t get time to use this trick.

Panic spread among users, who took to Reddit to discuss their next move. Eric Larchev?que, Ledger’s CEO, replied to one such post saying it was “a massive FUD”, and that Rashid was trying to bring attention to himself, when the problem was clearly not high-priority. “Saleem got visibly upset when we didn’t communicate as “critical security update” and decided to share his opinion on the subject,” wrote Larchev?que.

On Mar. 20, Ledger published another update that explained three problems discovered by bounty program researchers: Timoth?e Isnard, Saleem Rashid and Sergei Volokitin. Interestingly, Rashid denied this statement because signing Ledger’s Bounty Program Agreement would disallow him for publishing a technical report, which he clearly did on the very same day. As for the new updates, Rashid explained that he wasn’t allowed to receive the ‘release candidate’ by the company, but he believed that the new fixes were not completely free from hacker attacks.

“Is it truly possible to use a combination of timing and “difficult to compress” firmware to achieve security in this model?”, wrote Rashid. He received support from cryptographer Matthew Green, who explained in a lengthy Twitter thread how the teenager was able to break through Ledger’s secure tactic.

The teenager, who lives in U.K., previously uncovered a problem in cryptocurrency hardware wallet TREZOR One. The issue was resolved with a healthy communication between both parties. SatoshiLabs CEO, Marek Palatinus, even praised Rashid for his work, “His out-of-the-box thinking and creative approach help us to make an even more secure product.”

Featured image from Ledger.

21.03.2018 / 18:10 127
British Teenager Exposes Vulnerability in Ledger’s Nano S Cryptocurrency Wallet British Teenager Exposes Vulnerability
According to his blog, British teenager Saleem Rashid has written code that gives him back door access to the Ledger Nano S, a $100 cryptocurrency
Hardware Wallet Demand in South Korea Grows Exponentially Hardware Wallet Demand in South Korea
According to local reports in South Korea, demand for hardware wallets is increasing exponentially. The demand has stemmed from attempted hacks last
15-Year-Old Security Researcher Shares Ledger Wallet Exploit 15-Year-Old Security Researcher Shares
Hardware wallet manufacturer Ledger has published a firmware update to remedy several security flaws. The exploits were independently found by a trio
TREZOR Model T Review: The Art of HODLING Refined TREZOR Model T Review: The Art of
Bitcoinist has reviewed the latest  TREZOR Model T Bitcoin and cryptocurrency hardware wallet. Should you get it? Is there a reason to upgrade from
Demand For Bitcoin Hardware Wallets Rise in South Korea, as Users Develop Awareness Demand For Bitcoin Hardware Wallets
According to security-focused researcher Kim In-soon at South Korea’s ETNews, the demand for bitcoin hardware wallets is increasing rapidly in South
Comments (0)
Add a comment
Comment on