The Ledger Hardware Wallet for cryptocurrencies is used for storing crypto assets and help secure the digital payments. It can be connected to any computer through a USB and has security-enabled buttons on the hardware device itself. However, many experts are starting to question the safety of these devices if taken advantage of by notorious hackers.
Suberg writes in Cointelegraph how a hacker was able to exploit the Ledger Hardware Wallet. British teen Saleem Rashid, only 15 years old, created a code to attack Ledger’s wallets in November 2017. The company claimed that the threat was ‘NOT critical’, stating that private keys cannot be extracted so easily.
A few days ago, Rashid posted on social media and his personal blog titling the major issue as ‘Breaking the Ledger Security Model’.
It stated that Rashid was still capable of extracting the root private key once the device is unlocked which can be used to change destination addresses of a transaction.
Security Boulevard – a website dedicated to technology security had a brief outline of how Rashid succeeded to gain access along with expert views on his hack.
What is interesting is how Rasheed understood the dynamics of the hardware. The Ledger has two chips, one is secure and the other not. The non-secure chip is used for various purposes such as the USB connection and to display text, which was compromised and able to run malicious code without being detected.
The young Brit commented that “You can install whatever you want on that non-secure chip because the code running on there can lie to you.”
Kenneth White, Director of the Open Crypto Audit Project reviewed Rashid’s findings and was impressed by the proof-of-concept attack.
TheNextWeb showed the sentiments of Ledger Chief Security officer Charles Guillemet who downplayed the hack from Rasheed.
Quoted in reference to a mail by Guillemet, “The Ledger Nanoarchitecture is built around a secure element: a secure chip. A microcontroller is also in charge of the USB proxy, and of interacting with the buttons and screen. The authentication of the microcontroller is performed by the secure chip.”
As hacks like these surface companies would, in theory, be able to better keep their security intact. However, this demands the attention and resources be put on fixing the security threats as well, which Ledger clearly is not doing. They need to brush off their ego and focus on making their software and hardware more secure to be able to gain back the trust of their customers.
EDIT: Ledger reached out to us on Twitter and commented:
Thank you for your article. All these vulnerabilities have been addressed and patched by our March 6th firmware update. We have written an extensive report on the subject here https://t.co/E28JwlosGD It would be fair to update your article with this information.
— Ledger (@LedgerHQ) March 26, 2018
Image Source “Pixabay”