[The Exiled]

15-Year-old Finds Flaw in Ledger Crypto Wallet

Citiraj:

The trouble is that consumer demand for Ledger’s products has frequently outpaced the company’s ability to produce them (it has sold over a million of its most popular Nano S models to date). This has prompted the company’s chief technology officer to state publicly that Ledger’s built-in security model is so robust that it is safe to purchase their products from a wide range of third-party sellers, including Amazon and eBay. Reseller of Ledger’s products could update the devices with malicious code that would lie in wait for a potential buyer to use it, and then siphon the private key and drain the user’s cryptocurrency account(s) when the user goes to use it. The crux of the problem is that Ledger’s devices contain a secure processor chip and a non-secure microcontroller chip. The latter is used for a variety of non-security related purposes, from handling the USB connections to displaying text on the Ledger’s digital display, but the two chips still pass information between each other.

Ledger’s products do contain a mechanism for checking to ensure the code powering the devices has not been modified, but Rashid’s proof-of-concept code — being released today in tandem with an announcement from Ledger about a new firmware update designed to fix the bug — allows an attacker to force the device to sidestep those security checks. Nevertheless, given that many cryptocurrency owners turn to hardware wallets like Ledger to safeguard some or all of their virtual currency, it’s probably a good idea if you are going to rely on one of these devices to purchase it directly from the source, and to apply any available firmware updates before using it.

Izvor: Krebs on Security