Slashdot Mirror
A 15-Year-Old Hacked the Secure Ledger Crypto Wallet (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a "supply chain attack" -- meaning a hack that could compromise the device before it was shipped to the customer -- and another attack that could allow a hacker to steal private keys after the device was initialized. The Ledger team described the vulnerabilities dangerous but avoidable. For the "supply chain attack," they wrote: "by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller." "If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised," wrote the team.
Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.
Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.
That is actually the most eloquently informing feedback I've ever read.
You WATCH the guy at home depot use the key grinding machine, don't you? Plus, the key in and of itself is useless without the address of the door it unlocks. The supply chain attack is a real potential problem; there are certainly vendors lax enough to let that happen. After the key is initialized, I'd think smart people would avoid letting people have physical access to the machine long enough to hack it. I guess the moral is, you should always by crypto hardware from reliable sources.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Unless you mined the sand yourself, built the lithography machine and pretty much did every other step in building the device you can't be secure against an attack where someone physically substitutes part of the product on you. If the Pseudo Random Number Generator has a seed the attacker knows, or the program in the device is completely rewritten by the attacker or the entire device is counter fit, the bad guy will win and there is nothing that the makers of the Crypto Ledger Wallet can do.
These aren't the attacks I need to worry about. Crypto Ledger Wallet was polite in even responding to this kid. John Biggs (writer for Tech Crunch) is an idiot for even writing the story.
There are far simpler attacks and plenty of fools out there to fall for it.
What's more, a hardware wallet is poor cold storage device - far too many ways for it to be compromised. If you're using a hardware wallet as your "secure offline wallet" then you're doing it wrong.
If you **need** convenience then a hardware wallet is useful, but treat it like your real cash wallet. That is, don't stick your life savings into it.
If you are after security, then paper wallets are the way to go. They lack a lot of convenience but as far as I understand, the only two vectors for attack are at key generation (do it offline and secure and you significantly reduce or eliminate any chance here) and the storage of any physical access tokens (pass phrases/secret keys/etc).
IMO hardware wallets are the least secure option since there are just too many opportunities for the devices to be already compromised prior to receipt.
Never happened. True story.
This is similar to the ATM scam where people got access to ATMs during shipping and modified them to send them PINs via text messages. Supply chain attacks are real.
I know plenty of inept millenials as well. They re fun to watch pretend they know how things work. Even more fun when this boomer shows how they're wrong in front of their little echo pack of idiots.
Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices.
Too bad; I'd be impressed if a vulnerability could create an active device out of thin air!