‘Tamper-Proof’ Crypto Wallet Hacked by 15 Year Old
French company Ledger claims its crypto currency hardware is so secure it can be called tamper-proof but a 15 year old teen claims he has just hacked it.
Ledger boasts that it’s crypto wallet hardware is tamper-proof, however this claim appears to have fallen flat on its face after a 15-year old French hacker claimed to have successfully broken into it.
Ledger claims that their hardware is so secure that you could buy it’s product second hand on Ebay and still not face security issues. Saleem Rashid claims that he successfully infiltrated the ‘tamper-proof’ Ledger Nano S through a flaw in its design.
The revelation could have massive implications for the firm, which claims it has sold its product to millions of customers worldwide. In an environment already marked by recent security breaches, investors have valid concerns over the safety of their coveted cryptocurrencies.
Tampering with the ‘tamper-proof’
Rashid’s hack is comprised of a tiny piece of code, 300 bytes, this fools the device into thinking that the malware written by the hacker is genuine firmware. Once it has accessed the device’s micro-controllers, which contains the private key, the device is compromised and at the mercy of the intruder.
On his personal blog, Rashim claims: “The vulnerability arose due to Ledger’s use of a custom architecture to work around many of the limitations of their Secure Element.“
He continues by highlighting that any potential attacker can exploit the apparent vulnerability to compromise the integrity of the device physically or remotely in what is known as a ‘supply chain attack’
Rashid claims that physical access does not require malware to gain entry, nor does it require the user to confirm any transactions. Performing the supply chain attack modifies the generated recovery seed and, according to the man himself, since all private keys are derived from the recovery seed, the attacker could steal any funds loaded onto the device.
After the initial setup, all the attacker has to do is wait until the user accesses the wallet so they can discreetly withdraw or redirect funds, all without the victim knowing they were there.
Since Rashid’s claim, Ledger has released a patch which it claims solves the issue he discovered on the Ledger Nano S crypto wallet. However, the firm does have a new wallet product coming to the market known as the ‘Ledger Blue’. The firm has said that the issues found on the Ledger Nano will not affect the Blue, as the chances of an attacker carrying out the same process is negligible according to Chief Security Officer Charles Guillemet.
Despite releasing a patch, Ledger’s CEO took to Reddit to refute the claims, saying they were “greatly exaggerated” and even claimed that it was an elaborate publicity stunt. He went on to say that “this [Rashid’s] proof of concept ranks by no mean as a critical severity level and has never been demonstrated.”
Basically, Larcheveque and Ledger claim that any successful attack is unlikely due to the attacker having to gain physical access to the product.
Despite Larcheveque’s attempts to calm Reddit users, many still raised concerns over the company’s handling of the situation, having only issued a patch for the Nano S some four months after Rashid’s initial disclosure.