15-Year-Old Security Researcher Discovers Ledger Wallet Vulnerability

Ledger, a manufacturer of hardware wallet for cryptocurrencies, released an update to its firmware, 1.4.1, accompanied by blog post that said they would be looking into security fixes. This comes after independent security researcher Saleem Rashid has demonstrated a new attack hackers can employ to break your Ledger Nano S wallet and steal your precious coins – both physically and remotely.

In a blog post Rashid explained, “The vulnerability arose due to Ledger’s use of a custom architecture to work around many of the limitations of their Secure Element. An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.” He added, “I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.”

Ledger followed up by saying that, “Following a transparent and responsible disclosure process, we are giving a full detailed assessment of the fixed attack vectors that the Firmware 1.4 patches, which were initially reported by three security researchers. As the publication of these technical details might elevate the threat level of non-patched devices, we strongly encourage our users to update their firmware.”

Ledger says the security researchers were asked to sign a Bounty Program Reward Agreement as one of the conditions of being remunerated for their efforts. Rashid actually forwent his bounty reward so that he could publish his blog post to explain in great detail what the security problem was, saying, “I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”

Still, there may not be too much cause for alarm. Attacks such as the one demonstrated by Saleem Rashid show the difficulty of creating a device that is immune from all known forms of attack.