The manufacturer, which claimed the hardware couldn’t be compromised, issued a security patch after the vulnerability was reported.
A British 15-year-old has exposed a major flaw in a security-focused cryptocurrency hardware wallet that was lauded by the manufacturer as being ‘tamper-proof’.
The teenager – named as Saleem Rashid – discovered a serious flaw in Ledger’s Nano S device which allows an attacker to steal the cryptographic key, basically opening the door to steal the users’ funds.
French firm Ledger said it designed the wallets to be “tamper-proof” – a claim they even printed on the back of the packaging.
In 2015, the company said: “There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key.”
The CTO of Ledger even claimed on Twitter that the devices were safe enough to be bought from eBay.
Ledger, however, was left red-faced last night after Rashid released a report and demonstrated how he created a backdoor to steal the private keys.
The young researcher, who is reportedly from southern England, developed a stealth backdoor which causes the Nano S to produce predetermined wallet addresses and recovery passwords.
It allows the attacker to then enter the passwords into another Ledger wallet, and recover the private keys stored in the original device.
This attack can be carried out by installing a malicious version of the firmware – something that takes 20 seconds to complete, Rashid said.
The devices contain a special chip called a ‘secure element’, which contains the sensitive data, and a less-secure microprocessor.
It was by targeting the microprocessor that the teen was able to carry out the attack.
Rashid did add that in order to perform the assault, the attacker would have to be able to physically access or steal the device.
When an attacker gains physical access to a device or computer, of course, they can carry out almost anything.
But what’s interesting is that Ledger sell the Nano S through third-party companies – affording attackers the perfect opportunity to plant the software before the device reaches the customer.
An attack could also be carried out during the supply chain, something which the National Security Agency (NSA) was accused of back in 2014.
Cryptography professor Matthew Green, from John Hopkins University, wrote on Twitter that the discovery was “extremely cool” and warned that Ledger may struggle to fix the issue.
He wrote: “… Since Ledger can’t update the hardware on their devices presumably they’re going to have to try to harden their approach even further. I’m really interested to see whether they win this!
“Because if someone can make this approach work, it would have huge implications for a large class of devices beyond wallets. I’m deeply skeptical. But I’m always skeptical. Excited to see how it goes.”
Ledger announced in a blog post that is has issued an update which it says patches the security issues.
The flaw could still reportedly be exploited in the Ledger Blue wallets, which won’t be patched until next month, but Rashid didn’t test his exploit on one of these models.