Independent security researcher Saleem Rashid today posted a blog about a potentially dangerous flaw he discovered in cryptocurrency hardware wallets made by French tech company Ledger. Ledger’s products physically safeguard public and private keys that are used to spend or receive cryptocurrency.
Titled Breaking the Ledger Security Model, Rashid’s post focusses on the Nano S, released in July 2016, and details two different types of potential attack vectors – malware-based/remote access, and one that relies on physical access after setup.
The vulnerability has since been patched by Ledger.
How Hardware Wallets Work
In his blog, Rashid explains how cryptocurrencies such as Bitcoin protect their funds with public key cryptography. In order to spend the money, he explains, a private key is needed. The trouble comes in when it comes to figuring out how to protect that key. As anyone who’s ever lost their keys (digital or physical) can testify, humans are notoriously bad at keeping important things safe.
Hardware wallets were touted as the solution to the age-old problem of “people losing stuff’; however, this creates an additional problem because hardware can be hacked. And in the case of hardware wallets, they can be hacked invisibly so that the user doesn’t notice their wallet has been compromised until it’s too late.
“The vulnerability (in question) arose due to Ledger’s use of a custom architecture to work around many of the limitations of their Secure Element,” says Rashid. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.”
Supply Chain Attacks
Rashid’s rationalization for the physical access-based attack is that a third-party reseller of Ledger’s products (such as sellers on Ebay or Amazon) could potentially update the devices with malicious (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog