According to the report published on DocDroid on February 3, 2018, the vulnerability that affected all the hardware devices was discovered in Ledger Wallet. The issue might lead to users losing their funds.
The malware can reportedly replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker. Moreover, it is ompossible for the user of the wallet to verify the integrity of the receive address. The users of the wallet were recommended to always verify their receive address on the device's screen by clicking the "monitor button".
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) 3 February 2018
- As soon as all the ledger wallet software is located in the AppData folder, even an unprivileged malware can modify them as there is no need to gain administrative rights
- The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, so they can be modified by anyone
- The malware replaces one line of code in the ledger software using less than 10 lines of Python code
- If the device was pre-infected, user's first transaction may be compromised causing the user to lose all of his funds
- The attack changes the receive address during its generation, causing even the automatically generated QR to be updated to the attacker’s address