Cryptocurrency wallet manufacturer Ledger claims to offer foolproof hardware wallet for storing cryptocurrencies, but a 15-year-old programmer named Saleem Rashid managed to hack into the Ledger Nano S.
In his post, Rashid discussed the vulnerabilities of the Ledger’s $100 hardware wallet caused by the use of custom architecture.
He explained that a flaw in the wallet allowed hackers to steal private keys physically before or even after the device was shipped.
Physical access before setup of the seed
In this scenario, termed as a “supply chain attack” a hacker can modify the generated recovery seed. As all private keys are obtained from this recovery seed, it becomes easy to steal the funds loaded onto the device.
Physical access after setup
This method is known as “Evil Maid Attack”, which enables an attacker to extract PIN, recovery seed and any BIP-39 passphrases used if the device has been used at least once after the attack.
Malware combined with social engineering
Here, the user is prompted to update the MCU firmware on an infected computer. On confirming the update, the malware infects MCU with malicious code and takes control of the display and confirmation buttons.
After these security vulnerabilities were exposed, Ledger released an update to its firmware 1.4.1 on 20th March. This update patches a total of three security issues including that pointed out by Rashid.
The company also assured that the update would “verify the integrity of your device” and a successful update means that “your device has not been the target of any of the patched attack.”
Even though these updates brought some relief to Ledger users, it still puts a question mark over the company’s claims that its wallets are 100% secure.