Discovered Vulnerability Made Ledger to Choose Between ‘Security and Usability’

A researcher reported on a vulnerability in major crypto hardware wallet manufacturer Ledger‘s devices that can result in the loss of bitcoin (BTC), which they claim the company was aware of for a number of months. Ledger, however, argued that they have addressed it already, while having to “make a choice between security and usability.”

There is “a vulnerability in the Ledger hardware wallets that can lead to theft of user funds,” wrote the anonymous researcher Monokh in a blog post yesterday. Per the post, an attacker can exploit this vulnerability to transfer BTC while the user thinks that altcoins (e.g. litecoin (LTC), bitcoin cash (BCH), etc.) are being transferred.

“In other words, having unlocked the Litecoin app, you will receive a confirmation request for a Bitcoin transfer while the interface presents it as a transfer of Litecoins to a Litecoin address. Accepting the confirmation produces a fully valid signed Bitcoin (mainnet) transaction,” Monokh said.

The post added that those who use bitcoin forks on their device could be affected and should avoid using these apps until fixes are available.

Monokh added that Ledger was informed of the problem. “Based on my experience from the first disclosure (Jan 19), I understood that they weren’t motivated to see this issue to completion,” said Monokh, adding that Ledger was aware of the issue even before then. “No further progress was observed and requests for update received no response.”

Ledger’s own report didn’t deny knowing about this potential problem. Yesterday, they argued that “enforcing the restriction to one or multiple paths for each coin type is actually a tough topic,” because:

• some third party software wallets use incorrect derivation paths, which is a concern specifically for older coins using third party wallets based on Electrum (LTC, dogecoin (DOGE), dash (DASH), etc.)
• some BTC forks use the same derivation path as BTC, and if they are prevented from using the BTC derivation path, users would be prevented from using the Ledger Nano S/X with these forks.

“We had to make a choice between security and usability, wanting to avoid a situation where user funds would be locked and users unable to spend their funds anymore. We thus chose to enforce a path lock in the Bitcoin app itself,” Ledger said, adding that the user would get a warning if a bitcoin derivative app “tries to perform a derivation on an unusual path.”

However, this didn’t seem to sit well with the community, many of which commented that Ledger acknowledged the risks but intentionally ignored the problem for the sake of usability and coin support. “They chose usability OVER Security,” commented redditor Leader92.

BTChip, affiliated with Ledger, replied that “We’re not saying we’re not fixing it for usability” but “that we picked a way to fix that doesn’t put the enforcement of the HD path at the OS level (which is done for applications that do not share the same code).”

The discussion between users, BTChip, and Monokh continued on Reddit.

Meanwhile, some are arguing that the solution is not in not using Ledger, but in not using ‘shitcoins.’

These reports come after Ledger’s recent data breach. The company revealed last week that it was been hit with a data breach on June 17 that appears to have allowed a “third party” access to at least 1 million of its users’ contact details.