Kraken Security Labs, the cybersecurity division of US-based cryptocurrency exchange Kraken, has identified new potential attacks against popular hardware wallet Ledger.
These attacks can affect Ledger Nano X wallets if they execute prior to the user receiving the wallet, if a wallet was intercepted during shipment or obtained from a malicious reseller, Kraken noted. This leaves the attackers theoretically capable of controlling computers connected to Ledger wallets and running malware on them. Thankfully it stayed theoretical — the issue was repaired.
Had the matter gone unaddressed, then we’d start hearing about “Bad Ledger attacks” and “Blind Ledger attacks.” The first of these would infect a Ledger Nano X wallet by modifying its debugging protocol to act as an input device, like a keyboard. Using keyboard shortcuts, it can open a browser and navigate to Kraken’s exchange. The second kind of attack approves malicious transactions while a device’s display is turned off. This exploit can manipulate the wallet’s display and convince users to press a series of buttons that approves a malicious transaction.
Ledger issued a security bulletin in response to the discovery, confirming that this vulnerability could lead to supply chain attack scenarios. The company also indicated that the latest firmware update would protect wallet holders from these attacks.
“Debugging capabilities are permanently switched off as soon as an application is installed [...] These attacks cannot be performed once an application has been installed on the device.”
The Nano X is the latest crypto wallet by major hardware wallet manufacturer Ledger. Released in 2019, it is the only rechargeable Ledger wallet that works wirelessly via Bluetooth. On July 6, Cointelegraph reported on Ledger CTO Charles Guillemet denying Ledger’s alleged double-spend vulnerability.