The 15-year-old researcher, Saleem Rashid, found a flaw in the French hardware wallet Ledger Nano S back in 2017. Anyone who owns cryptocurrency knows the importance of keeping their private keys secure. Phone and computer-based wallets are vulnerable to device and software hacking.
With hardware wallets, when the USB is connected to your computer, it does not reveal the private keys to the machine. Rashid outlines three typical kinds of attack:
- remote attacks (via malware on your computer)
- supply chain attacks (device tampered with before you receive it)
- unauthorized physical access
The hack exposed affected all three. The hacker informed Ledger so they had time to release a security patch. Ledger devices ship with a note that says “Did you notice? There is no anti-tampering sticker on this box. A cryptographic mechanism checks the integrity of your Ledger device’s internal software each time it is powered on.”
Dual processor problem
The vulnerability exists because hardware wallets tend to have two processors. One deals with security and the other handles everything else such as the display and USB connectivity.
The integrity check that Ledger runs attests to the software of the security processor. The problem is it didn’t test the other processor, and a bad actor could tamper with it by replacing the firmware before you receive the device. It could even stop the device displaying warnings.
By tweaking the firmware, it is possible to change the recovery seed. Since the recovery seed is used to derive the private keys, if you control the recovery seed, you control all the Bitcoin addresses generated by the device.
The CEO of Ledger, the company that produces the Ledger Nano, disagreed with Rashid about the importance of the vulnerability, saying on Reddit that he was “greatly exaggerating the criticity of the issue he found” and also stating “the vulnerability reported by Saleem requires physical access to the device BEFORE setup of the seed”.
Rashid’s blog post states the vulnerability is not restricted to pre-setup, it was merely the focus of his explanation, Rashid told on reddit that this explanation from the Ledger CEO was full of contradictions.
And finally, there was surprising silence from the mainstream crypto publications even though this was an excellent story with credibility. The blog post describing the problem had additional input from Matthew Green, a respected cryptography professor at Johns Hopkins University.
It’s such a good story that Ledger Insights is covering it even though cryptocurrency is not our focus. This proofs that the mainstream crypto outlets are all collaborated to keep it under the radar, which makes you wonder who control this big crypto outlets..