Main navigation

Fifteen Year Old Hacks Ledger Hardware Wallet, CEO Dismisses Exploit as “FUD”

Wed, 03/21/2018 - 14:17
article image
David Dinkins
The Ledger series of hardware wallets has fixed a serious vulnerability, but Ledger CEO says the exploit, which would have allowed attacker to steal funds, wasn’t serious.
Fifteen Year Old Hacks Ledger Hardware Wallet, CEO Dismisses Exploit as “FUD”
Cover image via U.Today
Read U.TODAY on
Google News

The Ledger series of cryptocurrency hardware wallets, purported by their maker to be “tamper-proof” has been hacked by a 15-year old, according to Ars Technica. Ledger has long advertised that its firmware’s cryptographic signature cannot be forged, and that the device would immediately notify the user if any malicious code had been placed on it. In fact, the company is so certain that its firmware can’t be hacked or forged that Ledger has told users even devices purchased on eBay would be safe to use.

According to Ledger:

"There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key.”


Fifteen year old Saleem Rashid set out to prove Ledger wrong. Rashid wrote on his blog:

“An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.”

He then proceeds to describe the process by which he could install a backdoor without the device ever realizing (or notifying the end-user) that it was compromised. This backdoor would cause the wallet to create a predetermined seed, allowing a hacker to drain the device’s wallets remotely at any time. An attacker could buy these supposedly unhackable devices from Ledger, install the malicious code, and resell them to end-users without the user ever realizing the device had been tampered with, according to Rashid.

Unsatisfactory response

Rashid notified Ledger of the vulnerability, and the company has since provided a fix. But Rashid wasn’t satisfied. On his blog he notes that he did not elect to receive a bug bounty from the company because:

“Before I get to the details of the vulnerability, I would like to make it clear that I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report. I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”

The CEO of Ledger addressed the exploit on Reddit, dismissing the vulnerability as “non-critical” and “massive FUD.” He called Rashid’s disclosure of the criticality of the exploit a “publicity stunt”:

“This is a massive FUD, and such thread should be removed. I won't remove it however because it would create the opposite effect. The security researcher in question is greatly exaggerating the criticity of the issue he found. I can't unfortunately go in the details because good practice require to patch (and wait for enough updates) before sharing more information. I don't understand his publicity stunt.”

article image
About the author

David Dinkins is a freelance writer who holds a Master of Arts in history from Louisiana Tech University and has extensive teaching experience both at LSU – Shreveport and University of Phoenix. He got involved with cryptocurrency in early 2014 working as part of the Dash Core Team and have served in the role of writer/editor (mostly editor) during that time. He has edited a huge number of documents for the Core Team, including the Evolution whitepaper, the PrivateSend whitepaper, and many of Evan Duffield’s communications with the Dash Community.