The Ledger series of cryptocurrency hardware wallets, purported by their maker to be “tamper-proof” has been hacked by a 15-year old, according to Ars Technica. Ledger has long advertised that its firmware’s cryptographic signature cannot be forged, and that the device would immediately notify the user if any malicious code had been placed on it. In fact, the company is so certain that its firmware can’t be hacked or forged that Ledger has told users even devices purchased on eBay would be safe to use.
According to Ledger:
"There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key.”
Whoops
Fifteen year old Saleem Rashid set out to prove Ledger wrong. Rashid wrote on his blog:
“An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.”
He then proceeds to describe the process by which he could install a backdoor without the device ever realizing (or notifying the end-user) that it was compromised. This backdoor would cause the wallet to create a predetermined seed, allowing a hacker to drain the device’s wallets remotely at any time. An attacker could buy these supposedly unhackable devices from Ledger, install the malicious code, and resell them to end-users without the user ever realizing the device had been tampered with, according to Rashid.
Unsatisfactory response
Rashid notified Ledger of the vulnerability, and the company has since provided a fix. But Rashid wasn’t satisfied. On his blog he notes that he did not elect to receive a bug bounty from the company because:
“Before I get to the details of the vulnerability, I would like to make it clear that I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report. I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”
The CEO of Ledger addressed the exploit on Reddit, dismissing the vulnerability as “non-critical” and “massive FUD.” He called Rashid’s disclosure of the criticality of the exploit a “publicity stunt”:
“This is a massive FUD, and such thread should be removed. I won't remove it however because it would create the opposite effect. The security researcher in question is greatly exaggerating the criticity of the issue he found. I can't unfortunately go in the details because good practice require to patch (and wait for enough updates) before sharing more information. I don't understand his publicity stunt.”