Join our community of 10,000 merchants on Hacked.com for only $ 39 a month
Hardware Portfolio Ledger Nano S Paused – Saleem Rashid, Teen Security Expert, found a problem with the “tamper” -free “wallet.The story began in November 2017, when Rashid reported a flaw to Nicolas Bacca, chief technical officer of Ledger, which could allow attackers to steal funds to purse users.
Rashid had observed that the microcontroller employed in the wallet was not secure. While it allowed the use of buttons and displays to enter data, it was connected as a proxy to the secure element (SE). The latter contained private keys which meant that a hacker could cheat the SE in different ways. Here’s how: retailers and resellers could change the firmware of the microcontroller which, now compromised, could check its ‘identity’ to the SE. He also explained that the attacker could control the user interface and use his malicious code to set the random to zero and add a recovery seed of his choice. Rashid chose the word ‘abandon’. to prove his point in a video uploaded. Now that the attacker had the mnemonic phrase, they could easily retrieve the private keys.
After Rashid sent the research to Ledger, he saw that the flaw was not taken seriously by the team. However, they released a firmware update on March 6, which was heavily criticized by Rashid. He posted his opinions on Twitter because he believed that the team should have published it as a critical update or disguised it so that hackers did not have the time to. use this trick.
As one of the security researchers, I urge you to update now. This article does not specify how dangerous this problem can be.
Potential problems include the generation of compromised seed recovery or private key extraction. https://t.co/Z2WGFZnFAA
– Saleem Rashid (@spudowiar) March 6, 2018
Panic spread among users, who took to Reddit to discuss their next move. Eric Larchevêque, CEO of Ledger, responded to one of these messages saying that it was “a massive FUD”, and that Rashid was trying to draw attention to himself, while the problem was clearly not a priority. “Saleem is visibly upset when we have not communicated as” critical security update “and decided to share his opinion on the subject,” writes Larchevêque.
On March 20th, Ledger publishes another update which explains three problems discovered by the researchers of the Bounty program: Timothée Isnard, Saleem Rashid and Sergei Volokitin. Interestingly, Rashid denied this statement because the signing of the Ledger Bonus Program agreement would disavow him for publishing a technical report, which he clearly did the same day. Regarding the new updates, Rashid explained that he was not allowed to receive the “release candidate” by the company, but he thought that the new corrections were not completely exempt from hacker attacks.
“Is it really possible to use a combination of timing and” hard to compress “to get security in this model?”, Writes Rashid. He received support from cryptographer Matthew Green, who explained in a long Twitter feed how the teenager was able to break through Ledger’s secure tactics.
The teenager, who lives in the UK, has already discovered a problem in the TREZOR One cryptocurrency hardware wallet. The problem has been solved with sound communication between the two parties. SatoshiLabs CEO Marek Palatinus has even praised Rashid for his work: “His original thinking and creative approach help us make an even safer product.”
Picture of Ledger.
Follow us on Telegram.