The security expert Saleem Rashid detected an issue connected with the “tamper-free” wallet. This began in November, 2017 when Rashid informed Nicolas Bacca (Ledger CTO) about the fault that could allow hackers to steal financial means from wallet users.
Rashid identified that the wallet`s microcontroller was insecure. As long as it allowed using displays and buttons in order to enter data, it was joined to the Secure Element (SE) as a proxy. The recent one contained private keys and this fact meant that a hacker could ploy the SE using various methods.
Retailers and resellers might change microcontroller`s firmware that could confirm its “identity” to the SE. According to his view, the attacker could control the user interface and then use malicious code to set coincidence to zero and add the semblance of their own choice. To prove his point, the expert uploaded the video which shows how simply any hacker can get private keys.
After he had sent the results of his research to Ledger, he noticed that the issue was not taken seriously by the team. Then Rashid published a firmware update and seriously criticized it. He had been stating his opinions on Twitter until he was sure that the team posted his critical update and became disturbed so that the attackers didn`t have enough time to use these methods.
Many users were captured by panic. Ledger`s CEO, Eric Larchevêque, gave his answer to one of such messages. He considered that Rashid had just been trying to become the center of public attention.
Ledger posted another update on March the 20, which explained 3 problems released by progressive program researchers: Timothee Isnard, Saleem Rashid and Sergei Volokitin. Rashid wondered if this really possible to achieve security of the model by using a combination of timing and difficult-to-compress firmware. He got the report from Matthew Green (the cryptographer) that explained the feasible thread and the way how the teenager was able to break through Ledger`s security tactic.
The UK teenager who had recently unveiled a weak spot in cryptocurrency hardware wallet TREZOR One.So, the issue was solved with a healthy communication between both sides. Marek Polatinus (SatoshiLabs CEO) praised Saleem Rashid and said that his hard work as well as creative and extraordinary way of thinking helped them to make modern and even more secure products.