Jump to content

Recommended Posts

https://arstechnica.com/information-technology/2018/03/a-tamper-proof-currency-wallet-just-got-trivially-backdoored-by-a-15-year-old/

Quote

For years, executives at France-based Ledger have boasted their specialized hardware for storing cryptocurrencies is so securely designed that resellers or others in the supply chain can't tamper with the devices without it being painfully obvious to end users. The reason: "cryptographic attestation" that uses unforgeable digital signatures to ensure that only authorized code runs on the hardware wallet.

"There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key," officials said in 2015. Earlier this year, Ledger's CTO said attestation was so foolproof that it was safe to buy his company's devices on eBay.

On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog, Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions. The stealth backdoor Rashid developed is a minuscule 300-bytes long and causes the device to generate pre-determined wallet addresses and recovery passwords known to the attacker. The attacker could then enter those passwords into a new Ledger hardware wallet to recover the private keys the old backdoored device stores for those addresses.

Be careful with where you use your hardware wallet.

Share this post


Link to post
Share on other sites
5 minutes ago, mandelbaum said:

If this turns out to be true....   Let's just say I hope it's not true.  Lots - and lots - of people investing in crypto have used a nano. 

Share this post


Link to post
Share on other sites

This was mentioned earlier today. If I'm not mistaken the vulnerability has been patched. People need to update their Nano. Alex said so too yesterday in his video.

Share this post


Link to post
Share on other sites
Guest
18 minutes ago, XRPHdlr said:

This was mentioned earlier today. If I'm not mistaken the vulnerability has been patched. People need to update their Nano. Alex said so too yesterday in his video.

hmmm

Quote

Two weeks ago, Ledger officials updated the Nano S to mitigate the vulnerability Rashid privately reported to them in November. In the release notes for firmware version 1.4.1, however, Ledger Chief Security Officer Charles Guillemet stressed the vulnerability was "NOT critical." In a deeper-dive into the security fix published Tuesday, Guillemet said the "attack cannot extract the private keys or the seed," an assertion that Rashid has publicly challenged as incorrect.

Guillemet also said Ledger can detect backdoored wallets if they connect to the Ledger server using a device manager to load applications or update the firmware. He said he had no estimate when the same vulnerability in Ledger Blue would be patched. "As the Blue has been distributed almost exclusively through direct sales, the probability to run the 'shady reseller scam' is negligible," he said. Meanwhile, the company post saying there is "absolutely no way" firmware can be replaced on Ledger devices remains.

 

Share this post


Link to post
Share on other sites

There is already a patch out for this, but the assertion that "The attacker could then enter those passwords into a new Ledger hardware wallet to recover the private keys the old backdoored device stores for those addresses." wouldn't work. 

Rebooting a different Nano to factory setting and inputting his self generated seed would only give him access to his own account, on a new/different Nano.  Unless I'm missing something... He'd have to have a Nano, implant the backdoor code, sell it, wait for someone to use it themselves, and then buy/steal it back from them.  

That's not to say that his firmware hack isn't brilliant, because it is... especially for a supposed self taught 15 year old.  But this isn't something that concerns me.

Share this post


Link to post
Share on other sites
Guest

https://www.ledger.fr/2018/03/20/firmware-1-4-deep-dive-security-fixes/

Quote

Take away: the firmware update patches three security issues. The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe.

For more details, and an in-depth explanation of all the attack vectors, please read this article. We also invite you to consult the FAQ at the end.

Update: Thimotee Isnard and Sergei Volokitin followed the responsible disclosure agreement process and were awarded with a Bounty, while Saleem Rashid refused to sign the Ledger Bounty Program Reward Agreement.

 

Share this post


Link to post
Share on other sites
Guest
3 minutes ago, ErikNL said:

Please correct me if I'm wrong, but the latest batch of Nano S Ledgers (delivery from end of last February) already has this 1.4.1 firmware. So at least that'd be good news for new users. 

not sure, i know they blogged about the latest 1.4.1 firmware patch on 06/03/2018

but presumably it was already patched in 1.4 ? not sure 

https://www.ledger.fr/2018/03/06/new-firmware-update-1-4-1-available-for-the-nano-s/

Share this post


Link to post
Share on other sites
30 minutes ago, zerpdigger said:

Update: Thimotee Isnard and Sergei Volokitin followed the responsible disclosure agreement process and were awarded with a Bounty, while Saleem Rashid refused to sign the Ledger Bounty Program Reward Agreement.

I wonder if a 15 year old can legally sign such agreements anyways. Also making people sign agreements that spend their money and time to improve your product is shady at best.

At least I now feel confirmed in my decision not to touch ledger hardware...

Share this post


Link to post
Share on other sites
Guest
53 minutes ago, Sukrim said:

I wonder if a 15 year old can legally sign such agreements anyways. Also making people sign agreements that spend their money and time to improve your product is shady at best.

At least I now feel confirmed in my decision not to touch ledger hardware...

i'm sure they legally vetted it -- part of their agreement states

Quote

You are of legal age in your jurisdiction to enter into this agreement (or your parent or guardian is signing this agreement for you);

 

Share this post


Link to post
Share on other sites
1 hour ago, ErikNL said:

Please correct me if I'm wrong, but the latest batch of Nano S Ledgers (delivery from end of last February) already has this 1.4.1 firmware. So at least that'd be good news for new users. 

Yup I'm afraid you're wrong. Got my Ledger end of February and it had firmware 1.3something on it. Did the update today.

Edited by supersonic

Share this post


Link to post
Share on other sites
4 minutes ago, supersonic said:

Yup I'm afraid you're wrong. Got my Ledger end of February and it had firmware 1.3something on it. Did the update today.

Hmm, okay thanks. Need to check mine in that case ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...