New Ledger Crypto Hardware Wallet Vulnerabilities Not “Critical” According To The Company
Yesterday BitcoinExchangeGuide had reported about there were vulnerabilities found in the Ledger Wallet.
Researchers have shown how to hack Trezor One, Ledger Nano S and Ledger Blue wallets. This was shown during a hacking event called the 35C3 Refreshing Memories. The team, which called themselves Wallet.fail, was made up of three people: Dmitry Nedospasov (security researcher and hardware designer), Josh Datko (security researcher) and Thomas Roth (software developer).
— Thomas Roth (@StackSmashing) December 27, 2018
The developers were able to extract the private keys of the devices after using custom firmware. They pointed out that the breach can only be used if the user did not set a passphrase, though, so people who are really careful would not be affected by the issue.
In response to these criticisms, Ledger published a blog post to defend or at least water down their shortcomings. The began their blog post by confirming the readers that their assets are secure on their Ledger device. They then say that they are grateful to the researchers to try to find vulnerabilities, however, they do not qualify for their bug bounty program. The blog post said:
“This is the model in which vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users. In this spirit, we have a bug bounty program rewarding the security researchers for their findings. We regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program. We equally feel that the findings did not provide practical vulnerabilities, as we will discuss underneath.”
— WALLET.FAIL (@walletfail) December 28, 2018
They continued to defend their potion by saying that the trio demonstrated that physically modifying the Ledger Nano S and installing malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin app is launched. It would prove quite unpractical, and a motivated hacker would definitely use more efficient tricks (such as installing a camera to spy on the PIN entry). This attack is definitely interesting but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).
“For such a scenario, we already implemented a randomized keyboard for the PIN on the Ledger Nano S, and the same improvement is scheduled in the next Ledger Blue Firmware update. Once again, a better side channel would be to put a camera in the room and record the user entering his/her PIN.”