News 15-Year-Old Security Researcher Shares Ledger Wallet Exploit

15-Year-Old Security Researcher Shares Ledger Wallet Exploit

-

- Advertisment -

Hardware wallet manufacturer Ledger has published a firmware update to remedy several security flaws. The exploits were independently found by a trio of white hat security researchers, one of whom, Saleem Rashid, is a 15-year-old British boy. The attack vector he discovered is hardware based, and is not limited to Ledger devices, making it difficult to mitigate altogether via software alone.

Also read: Ledger Addresses Man in the Middle Attack That Threatens Millions of Hardware Wallets

Ledger at Loggerheads with Security Researcher Who Found Flaw

On March 20, Ledger released an update to its firmware, 1.4.1, accompanied by a blog post that promised “a deep dive into security fixes”. It began: “Following a transparent and responsible disclosure process, we are giving a full detailed assessment of the fixed attack vectors that the Firmware 1.4 patches, which were initially reported by three security researchers. As the publication of these technical details might elevate the threat level of non-patched devices, we strongly encourage our users to update their firmware”.

It is the exploit discovered by Saleem Rashid that’s gathered the most attention, both on account of his tender age, and his publication today of a detailed explainer on how he achieved the feat. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely,” Rashid explains. “I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.” He also told a security blog that “[Ledger] make it so easy to open the device that you can take your fingernail and open it up [to tamper with it]”.

15-Year-Old Security Researcher Publishes Ledger Wallet Exploit

White Hat Hacker Forgoes His Bounty

Ledger says the security researchers were asked to sign a Bounty Program Reward Agreement as one of the conditions of being remunerated for their efforts, while noting that this doesn’t prevent the researchers from publishing their own reports. The article is worded in such a way as to suggest all three researchers were happy to comply with this agreement, but that’s not entirely true. Rashid actually forwent his bounty reward, explaining:

I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report. I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.

The teen researcher is of the opinion that Ledger were seeking to downplay the seriousness of the exploit he’d uncovered. Publishing a full and frank report of how he broke the Ledger wallet, and giving up his right to a reward, hasn’t done his reputation or his Twitter follower count any harm either. Saleem Rashid is clever beyond his years, and his article on the exploit is lengthy but fascinating for anyone with an interest in such matters.

Your Cryptocurrency Hardware Wallet Is Safe

One matter in danger of getting lost amidst all this is the status of Ledger wallets. Cryptography teacher Matthew Green posted a tweetstorm in response to Rashid’s blog, exploring the difficulty of fully preventing hardware-based attacks of this nature. He finishes, reassuringly: “Nothing in the post or thread above means you should freak out about these vulns, or that you should assume other wallets are better. Just be safe.” Ledger users should update to the latest firmware, but there is no cause for alarm. Attacks such as the one demonstrated by Saleem Rashid show the difficulty of creating a device that is immune from all known forms of attack.

Do you think Ledger is guilty of trying to downplay the seriousness of the exploit? Let us know in the comments section below.


Images courtesy of Shutterstock.


Need to calculate your bitcoin holdings? Check our tools section.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

GoCrypto presents truly contactless payments with a simple solution for merchants and buyers

7 April 2020 — The recent events have rapidly changed the way we live, including our shopping...

Bitcoin SV has found a new niche in the gaming industry

Gaming companies and online casinos are increasingly paying attention to cryptocurrencies as a possible payment tool. Several...

Why could GLBrain become a great solution to receive support during the crisis?

To support smaller and medium-sized businesses during the ongoing crisis, GLBrain offers services cost-free for all Austrians....

Make Fast and Secure Trades Using Bitengo.io

Bitengo.io is a Cryptocurrency trading platform that allows users to buy and sell their Cryptocurrency in a...
- Advertisement -15-Year-Old Security Researcher Shares Ledger Wallet Exploit

Network Security Using Cryptography: Everything you need to know

This article will describe what is Network Security Using Cryptography and everything you need to know before...

Mercuriex Cryptocurrency Exchange Launches New Utility Token, SURF

MercuriEx Cryptocurrency Exchange, originally developed in 2017, came under new ownership in December 2019. Since taking over the exchange,...

Must read

- Advertisement -

You might also likeRELATED
Recommended to you