Ledger: Recently Discovered Wallet Vulnerabilities Not Critical
Ledger claimed that the recently uncovered vulnerabilities in their hardware wallets are not critical.
In the post, the company explains that there appeared to be “three attack paths which could give the impression that critical vulnerabilities were uncovered,” but according to them “this is not the case.”
The reason Ledger says that the vulnerability is not critical is that “they did not succeed to extract any seed nor PIN on a stolen device” and “sensitive assets stored on the Secure Element remain secure.”
According to the company, the Ledger Nano S vulnerability “demonstrated that physically modifying the Ledger Nano S and installing malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin (BTC) app is launched.”
This, Ledger claims, is “quite unpractical, and a motivated hacker would definitely use more efficient tricks.” While the researchers claimed that the vulnerability allowed them to “send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves” Ledger denies its, stating:
“Their firmware runs snake on the MCU in Bootloader mode. This means that you have to push the left button at boot and the Secure Element does not even boot.”
Ledger also claims that the demonstration of the Ledger Blue attack is “a bit unrealistic and not practical,” claiming that “the position of the receiver and the attacked device must be exactly the same, the position of the USB cable is also paramount (as it acts as an antenna).”
The post stated that “if the conditions are not exactly the same, the machine learning classifier won’t work properly.” For this reason, Ledger concluded:
“This attack is definitely interesting, but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).”
Furthermore, because of this vulnerability, Ledger stated that the next Ledger Blue firmware update will feature a randomized keyboard for the pin.
The company also stated that they “regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.” According to Ledger “in the security world, the usual way to proceed is responsible disclosure. This is the model in which a vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users.”
In November, Ledger announced its expansion to New York in order to develop its institutional custody offering Ledger Vault. Moreover, the company also recently signed an agreement with crypto payment startup Crypto.com to allow users to pay for its products with cryptocurrencies.