A hardware wallet for virtual currencies with millions of users has been compromised by a 15-year-old security researcher.
Saleem Rashid explained how he cracked the firmware on the wallet produced by Ledger in an online post Tuesday.
Rashid performed what’s known as a “supply chain” attack. That means a targeted device is compromised before any users get their hands on it.
The attack on Ledger’s US$100 Nano S wallet creates a backdoor on the device that generates predetermined wallet addresses and passwords. With that information, a bandit could perform a number of nasty deeds, including sending money from the wallet to the attacker’s account.
Rashid informed Ledger of his hack in November. Since then, the company has released a new version of the firmware that’s supposed to address the vulnerability in the Nano S, although it remains unaddressed in another model of the wallet, the Ledger Blue.
Serious but Not Critical
For its part, Ledger discounted the severity of Rashid’s findings.
“The issues found are serious (that’s why we highly recommend the update), but NOT critical,” Ledger’s Chief Security Officer Charels Guillemet wrote in an online post. “Funds have not been at risk, and there was no demonstration of any real life attack on our devices.”
Any backdoors planted on a wallet using Rashid’s methods would be detected when the device connected with Ledger’s servers to download an application or perform a firmware update, Guillemet explained in a separate “deep dive” post about the hack.
Rashid had not yet verified if the firmware upgrade fully addressed his hack, he told Ars Technica, but noted that even if it does, the flawed design of the product makes it likely the attack could be modified to work again.
Shadow Over Wallets
Although the vulnerability discovered by Rashid may cause some concern for user’s of Ledger’s hardware wallet, it’s unlikely to create anxiety among cryptocurrency users in general.
“Ledger is a single provider of a hardware wallet. The majority of cryptocurrency users don’t use hardware wallets,” said David Johnson, CEO of Latium, an organization that pays people in cryptocurrencies for completing crowdsourced tasks.
“I don’t believe this will have massive ramifications to the cryptocurrency community as a whole,” he told TechNewsWorld.
While the attack may not affect the wider cryptocurrency community, it could cast doubt on other hardware wallets, suggested William J. Malik, vice president of infrastructure strategies at Trend Micro.
“It implies that all cryptocurrency wallets could be suffering similar vulnerabilities,” he told TechNewsWorld.
Securing the Supply Chain
Although Ledger chose to close the vulnerability in its wallet through a firmware update, tightening its supply chain security may be essential.
“No matter how good, secure or safe a solution is, there always are — and always will be — weaknesses that can be used to crack it,” observed Kirill Radchenko, CEO of Paygine.
“The question is how expensive it is to close those gaps and to prevent bad guys from using them. In this case, using tamper-proof packaging seems to be quite a sufficient measure that can be easily implemented and that does not affect the product price,” he told TechNewsWorld.
“So if a weakness can be efficiently addressed and does not cost a fortune,” Radchenko continued, “there will be no need to change the device itself or its architecture to address the problem.”
Cryptocurrency Crypto Still Safe
Rashid’s vulnerability involved Ledger’s wallet implementation — not the security of any of the cryptocurrencies that might be stored in it, emphasized Kees Schouten, the senior director for product at NYIAX.
“The security of blockchain transactions themselves are not in doubt or exposed with this hack,” he told TechNewsWorld.
“The hack wasn’t the hack of the cryptography,” Latium’s Johnson added. “It was a hack of the wallet provider’s software. If someone had undone the actual cryptography that backs cryptocurrency, then you would have a major problem on your hands.”