A 15-Year-Old Hacked the Secure Ledger Crypto Wallet

An anonymous reader quotes a report from TechCrunch: A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a "supply chain attack" -- meaning a hack that could compromise the device before it was shipped to the customer -- and another attack that could allow a hacker to steal private keys after the device was initialized. The Ledger team described the vulnerabilities dangerous but avoidable. For the "supply chain attack," they wrote: "by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller." "If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised," wrote the team.

Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.

Not secure against physical attack - duh!

[FeelGood314]

Unless you mined the sand yourself, built the lithography machine and pretty much did every other step in building the device you can't be secure against an attack where someone physically substitutes part of the product on you. If the Pseudo Random Number Generator has a seed the attacker knows, or the program in the device is completely rewritten by the attacker or the entire device is counter fit, the bad guy will win and there is nothing that the makers of the Crypto Ledger Wallet can do.

These aren't the attacks I need to worry about. Crypto Ledger Wallet was polite in even responding to this kid. John Biggs (writer for Tech Crunch) is an idiot for even writing the story.

Re:Re

[Mr0bvious]

There are far simpler attacks and plenty of fools out there to fall for it.

What's more, a hardware wallet is poor cold storage device - far too many ways for it to be compromised. If you're using a hardware wallet as your "secure offline wallet" then you're doing it wrong.

If you **need** convenience then a hardware wallet is useful, but treat it like your real cash wallet. That is, don't stick your life savings into it.

If you are after security, then paper wallets are the way to go. They lack a lot of convenience but as far as I understand, the only two vectors for attack are at key generation (do it offline and secure and you significantly reduce or eliminate any chance here) and the storage of any physical access tokens (pass phrases/secret keys/etc).

IMO hardware wallets are the least secure option since there are just too many opportunities for the devices to be already compromised prior to receipt.