Ledger, cryptocurrency cold storage hardware wallet manufacturer, has released a new firmware update that enables a number of new features, security improvements, and functionality changes to their best-selling hardware wallet, the Ledger Nano S. In a blog post on Ledger’s official website, Chief Security Officer Charles Guillemet sheds some light on what the new firmware entails.
Firmware 1.4.1, which is available now, brings forth a number of changes including:
- A new screen lock management feature. A long press of both Nano S buttons for three seconds will lock the device. This security feature is helpful in case you become a target for a physical attack and theft while using your Ledger. It allows you to lock out any potential thieves.
- During the initial setup process, users will now need to confirm all 24 passphrase words, instead of the two previously required.
- Cache optimizations, that speed up the device.
- BOLOS has been updated, splitting apps into three code segments for greater security, as well as tweaks to the SDK.
- Cryptographic support has been extended, now offering new Elliptical Curves.
- Last but not least, the Ledger S Nano can now load up to 18 apps on the device, which was previously tapped out at around 3-4 apps, depending on size. This is especially helpful for Nano S users, who hold many different types of cryptocurrencies.
Despite such a positive slate of new features, the good news very quickly turned into a storm of negativity, as users struggled to update the firmware on their devices, as too many update attempts clogged up Ledger’s servers. This left many unable to update their devices. Worse yet, users are claiming that the Ledger Nano S offers no indication that the update is occurring, or what the progress is at – causing many users to unplug their devices mid-update, bricking them in the process.
To make matters worse, at the same time users were experiencing issues with updating their Ledger Nano S, a prominent security researcher tweeted about the discovery of a “dangerous” issue that could lead to “compromised recovery seed generation” or “private key extraction.” The research also encouraged users to “switch to a new recovery seed” if a user was overly paranoid about losing their funds.
According to the company’s CEO, who attempted to clear the air – via the /r/ledgerwallet subreddit where users were expressing their concerns in a panic – stating that the claims were overblown, and are “massive FUD.” The Ledger CEO claims that the security flaw was “greatly exaggerated,” explaining:
“The vulnerability reported by Saleem requires physical access to the device BEFORE setup of the seed, installing a custom version of the MCU firmware, installing a malware on the target’s computer and have him confirm a very specific transaction. While possible, this proof of concept ranks by no mean as a critical severity level and has never been demonstrated.”
Ledger asserts this is no cause for panic, and many Reddit users believe that the security researcher attempted to blow the issue out of proportion in hopes of earning a greater bounty for his discovery.
The security flaw is yet another reason that customers interested in purchasing a Ledger Nano S should purchase it directly from Ledger to avoid any chance of a seller tampering with the device before it reaches the end user. With the surge in cryptocurrency popularity, the Ledger Nano S has been difficult to obtain through official channels, which led to customers purchasing from third party sources such as eBay, resulting in pre-generated passphrases and theft of funds. At the time of this writing, the Ledger Nano S is in stock via Ledger themselves.