March 23, 2018
A hardware wallet created to store crypto-currencies, and advertised by its producer as tamper-proof, has been hacked by a 15-year-old British.
Writing on his blog, Saleem Rashid said he had written code that provided him a backdoor into the Ledger Nano S, a $100 (£70) appliance that has sold millions all over the world.
It would let a hateful attacker deplete the wallet of funds, he said.
The company behind the wallet stated that it had supplied a safety solution.
It is supposed the fault also affects one more model – the Nano Blue – and a solution for that will not be available “for many weeks”, the company’s chief safety officer, Charles Guillemet told Quartz magazine.
Crypto-currencies such as Bitcoin utilize an encryption method called public key cryptography to safeguard funds. Users can expend the money saved only if they have access to the secret key.
Hardware wallets save these secret keys and can be linked to a PC through a USB port.
The attack targets the appliance’s micro-controllers, one of which saves the secret key, while the other acts as its substitution to support presentation functions and the USB interface.
The latter is less safe and is not capable to distinguish between authentic firmware – software automated into an appliance – and code written by an outsider.
One big caution for the method found by the young person is that the attacker would require physical access to a wallet prior to it got into the hands of the victim – so, for example, by purchasing one, changing it and then vending it on eBay or a similar online site.
In his blog, Rashid said that he had transmitted the code he had created to Ledger “a few months ago”, adding that he had not been paid a prize.
He said that he selected to circulate after Ledger’s chief executive Eric Larcheveque made remarks on Reddit which, as per the teenager, “were filled with technical inaccuracy”.
“As a consequence of this, I became worried that this weakness would not be appropriately described to clients,” he wrote.
In his Reddit remarks, Mr. Larcheveque stated that the safety issue had “been greatly overstated”.
“While possible, this evidence of idea ranks in no way as a dangerous severity level and has never been shown,” he wrote.
He blamed the young person of becoming “visibly upset” when the company didn’t share the fix as a “critical safety update” and said his decision to go public had “created a great deal of panic”.
Craig Young, a researcher at Safety Company Tripwire remarked: “It is very tough to thoroughly protect any appliance from attackers with actual access. This is why it is so crucial to have reliable part makers, traders, and repair services.
“In this specific case, it was found that anybody with physical access might change the Ledger hardware wallet to access funds. Basically, this would imply that somebody vending this hardware wallet would be able to steal funds from their clients.
“Luckily for Ledger owners, the trouble was sensibly reported to the seller and a coordinated disclosure minimized danger to end users.”
A few weeks ago, Ledger verified that a separate mistake made its wallets vulnerable to one more attack in which malware might deceive users into mistakenly sending their crypto-currency to hackers.