Slashdot Mirror
A 15-Year-Old Hacked the Secure Ledger Crypto Wallet (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a "supply chain attack" -- meaning a hack that could compromise the device before it was shipped to the customer -- and another attack that could allow a hacker to steal private keys after the device was initialized. The Ledger team described the vulnerabilities dangerous but avoidable. For the "supply chain attack," they wrote: "by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller." "If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised," wrote the team.
Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.
Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.
Unless you mined the sand yourself, built the lithography machine and pretty much did every other step in building the device you can't be secure against an attack where someone physically substitutes part of the product on you. If the Pseudo Random Number Generator has a seed the attacker knows, or the program in the device is completely rewritten by the attacker or the entire device is counter fit, the bad guy will win and there is nothing that the makers of the Crypto Ledger Wallet can do.
These aren't the attacks I need to worry about. Crypto Ledger Wallet was polite in even responding to this kid. John Biggs (writer for Tech Crunch) is an idiot for even writing the story.