Hardware cryptocurrency wallet manufacturer Ledger has discovered a vulnerability that affects all of its devices and can lead to users losing their funds, according to a report released on Saturday, Feb. 3.
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh— Ledger (@LedgerHQ) February 3, 2018
According to the report, а “man in the middle” attack can be performed when the user attempts to generate an address to receive bitcoins to their Ledger wallet. If the computer that is used in this process is infected by malware, the attacker can secretly replace the code responsible for generating the address, causing “all future deposits to be sent to the attacker.”
How to protect yourself
Fortunately for the owners of their wallets, Ledger has also revealed how to avoid the “man in the middle” attack. According to the report, users should take advantage of an “undocumented” feature of the wallet that displays the receiving address on the wallet’s physical display.
By clicking the monitor button at the bottom left of the “Receive Bitcoins” menu and confirming the address on the hardware wallet’s display every time they generate a new one, users can ensure that the address has not been tampered with.
The report further indicates that this feature is not mandatory and is not enforced by Ledger’s own interface, placing the ultimate responsibility for the safety of the funds on users themselves.
Hardware wallets are regarded as one of the safest ways to store cryptocurrencies, as opposed to holding them on an online exchange or wallet.
However, with Ledger’s over one million users affected by the newly discovered vector of attack, it becomes clear that even having a hardware wallet does not “make you invincible,” in the company’s own words.
Update: The vulnerability of computers is an industry-wide problem for all hardware wallets, not only Ledger. However, the particular vulnerability was reported by Ledger in reference to their Chrome application. Ledger has since updated their Chrome application to force users to verify destination addresses on their Ledger hardware device, not just on the screen of their computer.