A teenage security researcher has exposed a (now fixed) flaw in cryptocurrency hardware wallets manufactured by Ledger, one of the most trusted names in the industry.
Earlier this month, 15-year-old British hacker Saleem Rashid discovered a flaw in Ledger hardware wallets that allowed attackers to fake the device’s seed generation and steal any funds later stored in addresses spawned from this seed.
On Tuesday, Rashid released a blog post explaining the technical specifics of the vulnerability, as well as why he believes it is more serious than Ledger has previously acknowledged.
The attack — which usually requires physical access to the device but could also be carried out through a combination of malware and social engineering — is carried out by compromising a micro-controller that works in tandem with the wallet’s “secure element,” a tamper-proof chip that stores the private keys.
Because the attack can be most easily deployed with a physical access device, this scheme would most likely be carried out as a “supply chain attack,” wherein an individual installs malicious firmware on a Ledger device and then sells it on a third-party marketplace such as Amazon or eBay.
Though riskier than ordering from the manufacturer, users often purchase these devices from third-party retailers since hardware wallet makers often struggle to produce enough devices to keep pace with surging demand and their stores are frequently out of stock.
Ledger released an update for the Nano S, its most popular hardware wallet, on March 6, eliminating the vulnerability for users who have upgraded to the new firmware. However, it has not yet pushed an update for its higher-end Ledger Blue.
As BlockExplorer reported, Ledger executives had publicly sparred with Rashid on social media following the firmware update’s release, with CEO Éric Larchevêque at one point claiming that Rashid had “greatly exaggerated” the severity of the exploit since in most cases it would require physical access to the device.
Nevertheless, Ledger thanked Rashid (along with two other researchers who discovered issues addressed in the latest firmware update) in a statement discussing the vulnerability, which was also released on Tuesday (both Rashid and Ledger waited two weeks before discussing the exploit in detail so users would have ample time to update to the new firmware).
“All the security team would like to congratulate Saleem for this good work, his help, and his professionalism through the disclosure process,” the company said.