Millions of crypto-investors have purchased the Ledger Nano to use as a safe wallet to store their currencies safely offline. The makers of this hardware wallet tout it as being ‘tamper proof’ and the safest way to protect your investments. Using this type of wallet not just takes your currency off of exchanges and the web to an offline location, but also secures the device for added protection even if someone gains access to the wallet itself.
A 15 year old in England, however, has found a vulnerability. In fact, he found it months ago and reported it to the company so that it could be fixed. The problem is, they haven’t yet fully fixed it!
Saleem Rashid got frustrated with the fact that not only has Ledger not fixed the issue, they haven’t even paid him a bounty for finding the vulnerability, so he has gone public with the problem.
The vulnerability is pretty obscure, and not something that should really concern most people. That being said, if you are buying a secured offline wallet, you want it to be as secure as possible.
The hack involves a small 300 byte piece of code that rather than going directly at the wallet, targets the micro-controllers on the hardware. There are two of them, one of which stores the private keys, and the other performs functions like displaying information and controlling the USB interface.
It is this second micro-controller that the vulnerability targets. A hacker could cause this controller to generate fake passwords, or change the destination for payments from the wallet. This would require that the hacker have physical access to the wallet. The real risk here is that a hacker buys new devices, performs the hack, and then sells them used. Those who bought them would then have their money at risk.
Ledger has fixed the issue for the popular Ledger Nano S, but the Ledger Blue device is still vulnerable. Due to the fact that this would be a challenging issue to fix, and the exceedingly tiny risk of it happening, Ledger has said that it isn’t a priority at this point.
To avoid this risk, make sure you either avoid the Ledger Blue, or buy it new directly from a reputable distributor.
