A tamper-proof Bitcoin wallet was hacked by a British 15-year-old

Ledger and the hacker disagree to the extent that the problem has been solved

If you have a huge amount of cryptocurrency, you may not trust websites to hold your assets. Who could blame you, with the Mt Gox collapse still relatively fresh in the memory? Keeping your Bitcoin, Litecoin, Ethereum or whatever your choice of cryptocurrency poison on an innocuous-looking USB stick is an option, but some want more thorough protection, and that's where French company Ledger comes in. Its specialised hardware is supposed to be so secure that it's essentially tamper-proof. Buy it preowned on eBay, if you must, the company said: it's unhackable, so your Bitcoin millions are safe.

Well, that tamper-proof wallet has just been tampered with: 15-year-old Saleem Rashid privately disclosed a proof of concept that allowed him to backdoor the Ledger Nano S a 70 hardware wallet that the company says has been sold to millions worldwide.

Rashid's hack revealed on his personal blog is a tiny 300 byte bit of code that targets the device's micro-controllers. One of these stores the private key, and the other acts as a proxy, displaying functions and a USB interface. The latter is far less secure, and can't tell the difference between genuine firmware and that written by a hacker.

That means a preowned wallet could generate fake passwords for new owners, or an attacker could change wallet destinations and payments.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Ledger has issued a patch for the Ledger Nano S, four months after the initial disclosure, although nothing yet for the 140 Ledger Blue; a patch is coming, but it's not viewed as urgent. "As the Blue has been distributed almost exclusively through direct sales, the probability to run the 'shady reseller scam' is negligible," said Ledger's chief security officer, Charles Guillemet.

"Greatly exaggerated" or a fundamentally hard problem?

In a post on Reddit, Ledger's chief executive Eric Larchevque commented that the security issue had been "greatly exaggerated," described the disclosure as a "publicity stunt" and accused Rashid of becoming "visibly upset" when the firm didn't treat the fix as a "critical security update".

Rashid, for his part, is unconvinced that the company understands the extent of the problem, hence his decision to go public with his research for which no bounty was paid. "I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevque, Ledger's CEO, made some comments on Reddit which were fraught with technical inaccuracy," he wrote. He hasn't verified the security fix that neutralises his attack, but remains unconvinced that it can truly be stopped, given the way the Ledger Nano S is designed.

Who's right? Well, Matt Green, a Johns Hopkins University specialist in encryption security, seems to back Rashid. He told Ars Technica: "Ledger is trying to solve a fundamentally hard problem. They need to check the firmware running on a processor. But their secure chip can't actually see the code running on that processor. So they have to ask the processor to supply its own code! Which is a catch-22, since that processor might not be running honest code, and so you can't trust what it gives you.

"It's like asking someone who may be a criminal to provide you with their full criminal record on the honour system."

Of course, this vulnerability assuming it is still a vulnerability require physical access to the hardware wallet, which may seem like a longshot for most people. The number of people in the world who would recognise what the Ledger is, let alone know how to break into one, is vanishingly small.

Advertisement - Article continues below

That's true, but this argument also misses the point altogether. Ledger sells these devices specifically to offer protection against physical access attacks. If that protection is no longer guaranteed, would people still buy the hardware?

At the very least, it's a helpful reminder that buying certain items preowned can have pretty unfortunate consequences for security, and buying direct or through a legitimate, trusted retailer is the way to go. Even if the companies tell you otherwise, spending a little extra for true peace of mind is a price worth paying.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020