Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Bitcoin Hardware

A 15-Year-Old Hacked the Secure Ledger Crypto Wallet (techcrunch.com) 68

An anonymous reader quotes a report from TechCrunch: A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a "supply chain attack" -- meaning a hack that could compromise the device before it was shipped to the customer -- and another attack that could allow a hacker to steal private keys after the device was initialized. The Ledger team described the vulnerabilities dangerous but avoidable. For the "supply chain attack," they wrote: "by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller." "If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised," wrote the team.

Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.

This discussion has been archived. No new comments can be posted.

A 15-Year-Old Hacked the Secure Ledger Crypto Wallet

Comments Filter:
  • That is actually the most eloquently informing feedback I've ever read.
  • by FeelGood314 ( 2516288 ) on Thursday March 22, 2018 @01:08AM (#56303437)
    Unless you mined the sand yourself, built the lithography machine and pretty much did every other step in building the device you can't be secure against an attack where someone physically substitutes part of the product on you. If the Pseudo Random Number Generator has a seed the attacker knows, or the program in the device is completely rewritten by the attacker or the entire device is counter fit, the bad guy will win and there is nothing that the makers of the Crypto Ledger Wallet can do.

    These aren't the attacks I need to worry about. Crypto Ledger Wallet was polite in even responding to this kid. John Biggs (writer for Tech Crunch) is an idiot for even writing the story.
    • by tlhIngan ( 30335 )

      No, this is a problematic attack.

      Your wallet is secured with a private key. This hack basically rewrites the RNG that generates that key to make it not so random.

      As for physical access? The box doesn't come sealed, and the company states you can buy them off eBay because the technology is so secure, the device is guaranteed to only run their firmware.

      So if you buy one of these things, how do you know your device has not been tampered with? It's supposed to be secure, and they claim it's so secure they don't

      • So if you buy one of these things, how do you know your device has not been tampered with?

        It says right in the summary: "In both cases, a successful firmware update is the proof that your device has never been compromised."

        • by tlhIngan ( 30335 )

          It says right in the summary: "In both cases, a successful firmware update is the proof that your device has never been compromised."

          That's what the marketing copy says. But the hack allows the guy to fake the update so it passes the check, so he can add his own code to the firmware update.

          In addition, relying on an update to prove correctness doesn't do didly squat. I can create a "open" version that isn't signed and will run anything, and thus can take a signed firmware update just fine. It's just I don't

  • hint to article writers and submitters. If something requires fucking physical access and or admin and pin access like this then it isn't worth an article about. this same vulnerability exists in just about every device and every computer ever sold
  • It comes across as a clever and insightful bit of an analysis from a very talented young man.

    The lack of any tamper evident packaging I would consider worrying since it does appear you can compromise these in the supply chain and you would have zero idea it's been done.
  • by 110010001000 ( 697113 ) on Thursday March 22, 2018 @06:24AM (#56304245) Homepage Journal
    This is similar to the ATM scam where people got access to ATMs during shipping and modified them to send them PINs via text messages. Supply chain attacks are real.
    • really need the world to know about a real one who helped me got proof of my cheating ex .hes really reliable and an expert at his job .contact hackdigg at gmail dot com or contact him on what's app through this number .+15185049376... or text his mobile number +15186284630.he can hack into what's app.facebook .text messages ,deleted text messages or any type of spying hacking related .tell him from Anita Email:hackdigg at g mail dot com Text num:+15186284630 What's app num:+15185049376
  • Somebody is semi-literate here.
  • by cascadingstylesheet ( 140919 ) on Thursday March 22, 2018 @12:01PM (#56306201) Journal

    Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices.

    Too bad; I'd be impressed if a vulnerability could create an active device out of thin air!

  • Well I never thought I'd see that phrase in a technical report :-)
  • A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs....

    The discoverer's age is irrelevent to the story. If he were 30, would we call him a "30-year-old programmer" I think not. Is the author trying to imply, that because the programmer was 15, the vulnerability was more obvious, or easily discovered by even a naive person?

    That would be an invalid presumption. There are a whole lot of technically sk

  • Life has taught me that you can’t control someone’s loyalty. No matter how good you are to them it doesn’t mean that they will treat you the same way. I have been married to my husband for two years with no idea he was cheating. Suddenly i started noticing changes in behavior, i suspected something was wrong. So i confided in a friend who convinced and introduced me to a hacker. He was able to hack into my husband mobile phone, Text messages, Call logs, IG, browser history, deleted message

Duct tape is like the force. It has a light side, and a dark side, and it holds the universe together ... -- Carl Zwanzig

Working...