New Ledger Crypto Hardware Wallet Vulnerabilities Not “Critical” According To The Company


Yesterday BitcoinExchangeGuide had reported about there were vulnerabilities found in the Ledger Wallet.

Researchers have shown how to hack Trezor One, Ledger Nano S and Ledger Blue wallets. This was shown during a hacking event called the 35C3 Refreshing Memories. The team, which called themselves Wallet.fail, was made up of three people: Dmitry Nedospasov (security researcher and hardware designer), Josh Datko (security researcher) and Thomas Roth (software developer).

 

The developers were able to extract the private keys of the devices after using custom firmware. They pointed out that the breach can only be used if the user did not set a passphrase, though, so people who are really careful would not be affected by the issue.

In response to these criticisms, Ledger published a blog post to defend or at least water down their shortcomings. The began their blog post by confirming the readers that their assets are secure on their Ledger device. They then say that they are grateful to the researchers to try to find vulnerabilities, however, they do not qualify for their bug bounty program. The blog post said:

“This is the model in which vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users. In this spirit, we have a bug bounty program rewarding the security researchers for their findings. We regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program. We equally feel that the findings did not provide practical vulnerabilities, as we will discuss underneath.”

 

They continued to defend their potion by saying that the trio demonstrated that physically modifying the Ledger Nano S and installing malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin app is launched. It would prove quite unpractical, and a motivated hacker would definitely use more efficient tricks (such as installing a camera to spy on the PIN entry). This attack is definitely interesting but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).

They said:

“For such a scenario, we already implemented a randomized keyboard for the PIN on the Ledger Nano S, and the same improvement is scheduled in the next Ledger Blue Firmware update. Once again, a better side channel would be to put a camera in the room and record the user entering his/her PIN.”

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide