According to his blog, British teenager Saleem Rashid has written code that gives him back door access to the Ledger Nano S, a $100 cryptocurrency storage device that is used by millions around the globe. As per Rashid’s findings, the vulnerability would permit a hacker to drain the wallet of funds. This is particularly of note because Ledger is a trusted name and considered a go-to for crypto enthusiasts who are worried about safely securing their coins.
Upon learning about the vulnerabilities, the Paris-based firm that makes the wallet said that it had issued a security fix for the Nano S. But there’s a problem: it is believed that the flaw also effects another model — the Nano Blue — and a fix for that model won’t be available “for several weeks,” according to the firm’s chief security officer Charles Guillemet (who spoke with Quartz).
How Does the Attack Work?
Ledger wallets use something called a “secure element” — basically a tamper-proof chip — that is touted as a key security feature. Secure elements are widely used in passports and identity cards and are also used to store payment information on iPhones. These chips often can’t process much data, or be connected to peripherals such as a display, therefore the secure element in the Nano S is connected to a micro-controller that does those things, but is itself not secure to the same degree. This micro-controller is what Rashid’s attack focused on.
An attacker needs to somehow install a customized version of the firmware that runs on the Ledger wallet’s micro-controller. This is a process that takes 20 seconds or less, according to Rashid. One way to do this is to have physical possession of a wallet before it gets into a user’s hands — which could happen if a wallet was compromised and then sold on Amazon, Ebay, or through another third party.
Such a scenario is known as a “supply-chain attack” and it could affect any devices that aren’t directly shipped from the producer to the customer. In Ledger’s case, it says the large majority of its Nano S wallets are sold directly to consumers, but some are sold through third-party retailers. Guillemet says Ledger doesn’t conduct any audits of its authorized resellers, and the company hasn’t said how many devices are in fact sold through third parties.
In his blog, Rashid said that he had sent the code he had developed to Ledger “a few months ago,” adding that he had not been paid a bounty for his discoveries. Rashid said that he chose to publicly share his findings after Ledger’s chief executive Eric Larcheveque made comments on Reddit which, according to the teenager, “were fraught with technical inaccuracy.”
“As a result of this, I became concerned that this vulnerability would not be properly explained to customers,” Rashid wrote. In his Reddit comments, Larcheveque said that the security issue had “been greatly exaggerated.”
“While possible, this proof of concept ranks by no means as a critical severity level and has never been demonstrated,” he wrote. He accused the teenager of becoming “visibly upset” when the firm did not share the fix as a “critical security update” and said his decision to go public had “generated a lot of panic.”