Ledger to Delay Nano X Supply

As an apology for the incident, Ledger will add the Nano S wallet to customers' orders that ordered Nano X before today's notice
22 March 2019   878

Ledger reported that customers who ordered its new device model Nano X, will have to wait longer than the previously announced period.

Due to unexpected production issues that surfaced at the last moment, we are sorry to let you know that our Ledger Nano X units will not be shipped this week as expected. We are doing everything we can to get our Nano X units shipped as soon as possible, but as of today, we are delayed by at least one month and possibly more. We will keep you updated as we learn more
 

Ledger Team

Until today on the order page Ledger Nano X it was reported that the first owners will receive new devices in early April. According to the updated information on the same page, it will not happen until the end of May.

The company explains that it received parts that were to be used to assemble the first batch of wallets, but was forced to reject them, as they did not meet its quality standards. This in turn led to a violation of the terms.

As an apology for the incident, Ledger will add the Nano S wallet to customers' orders that ordered Nano X before today's notice. Additional wallet is proposed to be used as a backup for the main device.

At the beginning of the month, a bug was detected, due to which the Monero application on the Nano S wallets did not work correctly, which in some cases could lead to a loss of cryptocurrency.

Ledger to Discover HSM Vulnerability

HSM is an external device designed to store public and private keys used to generate digital signatures and to encrypt data, used by banks, exchanges, etc
10 June 2019   1634

A group of researchers from Ledger identified several vulnerabilities in the Hardware Security Module (HSM) devices, which can be used to extract keys or perform a remote attack to replace the firmware of an HSM device. The problem report is currently available only in French, the English-language report is scheduled to be published in August during the Blackhat USA 2019 conference. HSM is a specialized external device designed to store public and private keys used to generate digital signatures and to encrypt data.

HSM allows you to significantly increase protection, as it completely isolates keys from the system and applications, only by providing an API to perform basic cryptographic primitives implemented on the device side. Typically, HSM is used in areas where you need to provide the highest protection, for example, in banks, cryptocurrency exchanges, certification centers for checking and generating certificates and digital signatures.

The proposed attack methods allow an unauthenticated user to gain complete control over the contents of the HSM, including extracting all the cryptographic keys and administrative credentials stored on the device. The problems are caused by a buffer overflow in the internal PKCS # 11 command handler and an error in the implementation of the cryptographic protection of the firmware, which bypasses the firmware check using the PKCS # 1v1.5 digital signature and initiates loading the own firmware in the HSM.

The name of the manufacturer, the HSM devices of which have vulnerabilities, has not yet been disclosed, but it is argued that the problem devices are used by some large banks and cloud service providers. At the same time it is reported that information about the problems was previously sent to the manufacturer and it has already eliminated vulnerabilities in the fresh firmware update. Independent researchers suggest that the problem may be in the devices of the company Gemalto, which in May released an update to Sentinel LDK with the elimination of vulnerabilities, access to information about which is still closed.