Crypto wallet Ledger hardware hacked by 15-year-old

Hardware wallet Ledger Nano S had a breakdown: teenage security expert found a problem
22 March 2018   802

The security expert Saleem Rashid detected an issue connected with the “tamper-free” wallet. This began in November, 2017 when Rashid informed Nicolas Bacca (Ledger CTO) about the fault that could allow hackers to steal financial means from wallet users.

Rashid identified that the wallet`s  microcontroller was insecure. As long as it allowed using displays and buttons in order to enter data, it was joined to the Secure Element (SE) as a proxy. The recent one contained private keys and this fact meant that a hacker could ploy the SE using various methods.

Retailers and resellers might change microcontroller`s firmware that could confirm its “identity” to the SE. According to his view, the attacker could control the user interface and then use malicious code to set coincidence to zero and add the semblance of their own choice. To prove his point, the expert uploaded the video which shows how simply any hacker can get private keys.

After he had sent the results of his research to Ledger, he noticed that the issue was not taken seriously by the team. Then Rashid published a firmware update and seriously criticized it. He had been stating his opinions on Twitter until he was sure that the team posted his critical update and became disturbed so that the attackers didn`t have enough time to use these methods.

Many users were captured by panic. Ledger`s CEO, Eric Larchevêque, gave his answer to one of such messages.  He considered that Rashid had just been trying to become the center of public attention.

Ledger posted another update on March the 20, which explained 3 problems released by progressive program researchers: Timothee Isnard, Saleem Rashid and Sergei Volokitin. Rashid wondered if this really possible to achieve security of the model by using a combination of timing and difficult-to-compress firmware. He got the report from Matthew Green (the cryptographer) that explained the feasible thread and the way how the teenager was able to break through Ledger`s security tactic.

The UK teenager who had recently unveiled a weak spot in cryptocurrency hardware wallet TREZOR One.So, the issue was solved with a healthy communication between both sides. Marek Polatinus (SatoshiLabs CEO) praised Saleem Rashid and said that his hard work as well as creative and extraordinary way of thinking helped them to make modern and even more secure products.

Ledger Team to Find Issue in New Nano S Software

Last update's security improvements have affected the amount of device memory
15 February 2019   114

Ledger hardware wallet developers stated that an unforeseen problem was found in software version 1.5.5 for the Nano S model. Improvements in the security context have affected the amount of device memory.

When planning for this update we didn’t anticipate the impact it would have on Ledger Nano S capacity. This was not planned obsolescence, simply put, we messed up. We apologize and we’re committed to making it right.
 

Ledger Team

The project team apologized for the incident and promised to fix the problem during the second quarter of 2019.

The project also announced the addition of Nano S support in the Ledger Live mobile app on Android.

Earlier, researchers at Wallet.fail discovered a number of vulnerabilities in the Trezor and Ledger hardware cryptocurrency wallets. As a result, they were able to conduct a series of successful attacks on wallets during the Chaos Communication Congress in Leipzig.