Security breach: Ledger Nano S must be updated!

A 15-year-old discovered a vulnerability in the Ledger Nano S Wallet that allows him to redirect transactions and manipulate both seeds and recovery passwords. In collaboration with Ledger developers, they have now developed an update for the offline wallet, which should definitely be installed.

Hacker Saleem Rashid stated on his blog on March 20 that he had cracked the Bitcoin code Ledger Wallet

The back door that Rashid developed is 300 bytes small and makes the device create ready-made wallet addresses and recovery passwords for the Bitcoin code attacker. The attacker can then enter these passwords into a new hardware wallet to recover the private keys of the old devices for these passwords:

With the same approach, attackers could make similar interventions. For example, they can manipulate target addresses and amounts of transferred crypto currencies. Attackers could then redirect transactions to their own wallets.

However, in the March 6 update news, Ledger’s Chief Security Officer stressed that the vulnerability was not critical. Charles Guillemet stressed that the attackers were not able to read the private keys. Rather, he stated that Ledger could detect manipulated wallets when they connect to the Ledger server.

Rashid doubted the security of the Bitcoin code Ledger wallet

Rashid again questioned this Bitcoin code statement and said that even if he fixed the problem with a small modification, he could crack the system again. According to Rashid, the vulnerability of the Bitcoin code is in Ledger’s secure microcontroller (Secure Element). This communicates with the “general-purpose microcontroller” Ledger calls MCU.

The MCU in turn communicates with the rest of the hardware wallet, such as the USB host, the OLED display and the buttons that the users have to operate. Rashid’s approach is now to replace the original firmware with a wrong code. At the same time, he manipulates the MCU to send the seemingly real image to the secure microcontroller.

In an interview with online magazine Ars Technica, Matt Green of Johns Hopkins University expressed doubts as to whether Ledger’s first update would solve the problem:

“Ledger is trying to solve a fundamental problem here. You need to check the firmware running on a processor. But their security chip can’t see the code running on the processor. So you have to get the processor to work with its own code! This would be a Catch-22, because the processor could possibly work with wrong code, which cannot be trusted. It’s like asking someone who may be a criminal whether he’s revealing his criminal record for the sake of honesty.”