Looks like this week the crypto community has to confront its vulnerabilities. Following controversy regarding the NSA tracking bitcoin users, a 15-year-old has just published his escapades from finding serious security flaws in the popular Ledger Wallet after being able to ‘backdoor’ it to steal private keys.
French-based company Ledger, well-known for their hardware wallets produced for physical safekeeping of public and private keys, has been informed by Saleem Rashid, a teenage security researcher, that there’s a way to obtain the keys sought to be protected.
Anyone with a wallet’s private keys can control the funds in said wallet. Ledger hardware wallets are made to ensure user’s private keys and other credentials are not stolen from the device. Thus, transactions on a hardware wallet are made by connecting the device via a USB port to the user’s computer. However, the private keys aren’t shared with the user’s computer.
Research by Rashid and two others shows that it’s possible to get the private keys. According to Rashid, the attacker must first have physical access to the hardware wallet, so he can then inject malicious software in it.
It’s possible this vulnerability is related to the high demand and low supply of the popular Nano S hardware wallet model. This led third parties like eBay and Amazon to sell the device to users. There’s no guarantee that a third party in possession of the hardware before it’s sold would not tamper it.
This third party could update the device’s codes with malicious software, which could spin into action when an unsuspecting buyer starts using it. Then, one day, the victim may wake up and to find out the wallet has been emptied.
This serious security flaw lies in the two chips found on the device. While one is a secure processor chip, the other is a non-secure microcontroller chip. They both pass information to each other ad the non-secure microcontroller chip can be taken advantage of through malicious software that can steal private keys.
Granted, Ledger has a mechanism it uses to detect code tampering. However, Rashid says one can write code to sidestep Ledger’s detection.
Rashid claims his findings were initially dismissed, although perhaps Ledger took note as they claim to have addressed the flaws discovered by Rashid in its latest firmware update (from version 1.3.1 to version 1.4.1). In the new update it is said to be difficult to bypass the anti-tampering detection.
The young researcher is of the opinion that adding a tamper-proof seal to the hardware wallets would add another layer of security, however a Ledger representative, Charles Guillemet,, thinks otherwise.
Regarding the sale of Ledgr wallets through third parties, despite Rashid’s findings, Guillemet said:
“As we have upgraded our solution to prove the genuineness of our product using cryptographic checks, I don’t see why we should change this statement.”
To be on the safe side, directly purchasing from Ledger is advised.