A new research report has highlighted a potential security flaw in hardware wallets which can be exploited by hackers. The report puts major hardware wallet maker Ledger in the spotlight as the researchers in question highlighted the fault to the company about a month ago.
As per a recent report by DocDroid, hardware wallets that are supposed to be more secure than the easily hackable desktop wallets. Hardware wallets act as cold storage and are used as an offline tool to store cryptocurrencies. A user is given control of a private key to send money and a public key to receive money. Every hardware wallet has an address to which the cryptocurrency gets transferred. However, due to the security flaw, a hacker can remotely change the addresses, making the user move their cryptocurrency to a different wallet.
It is worth noting that hardware wallets are highly promoted and publicised as a safer and more secure way of storing cryptocurrency than other wallets. A major flaw such as this one, however, could cast a shadow of doubt on those claims.
In the report, the researchers have quoted the concept of a ‘man in the middle attack’ where a malware modifies the application to change the receiving address to a third party one. The new address would presumably belong to the hacker who uses several random wallets to scam users.
The report says, “Ledger wallets generate the displayed receive address using JavaScript code running on the host machine, malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.”
This criticism has drawn sharp rebuttal from Ledger, which in its own blog post, has replied:
This is not a Ledger security flaw. Ledger users are not at risk, as long as they verify their new receive address on their device when they share it to receive funds. As far as we know, no user has ever lost any coins because of what remains a proof of concept.”
Ledger further insists on the fact that in a threat model where the attacker is able to do anything on the computer, it is impossible to trust what is displayed on the computer screen. It adds, “The only thing users can completely trust is what is displayed on the screen of their Ledger hardware wallet. The Ledger Wallet Bitcoin Chrome application also has a dedicated icon for the user to display the receiving address on their Ledger device. When the user clicks on this icon, the correct address is generated by the wallet and displayed on the Ledger hardware wallet’s screen.”
Nevertheless, Ledger hardware wallet holders will need to be more careful when transferring cryptocurrencies to a digital wallet and must always check the receiving address by clicking on the monitor icon button, located down below in the left side on the screen.
In response to the issue, Ledger has released an update to its application that will request users to verify receiving addresses before transferring. However, the option is a toggle and not compulsory. Ledger has asked users to ensure that their apps on the Nano S are updated to the latest version.