Ledger Hardware Wallets’ Vulnerability Exposes Clients To Risk

Ledger, a company that offers cryptocurrency wallets, acknowledged on February 3 that all of its hardware wallets are affected by a vulnerability which could allow a malicious party to provide clients with false receive addresses, so that cryptocurrency intended to be received would end up in an attacker’s wallet instead.

A twitter account run by the company issued a tweet that included a hyperlink to a report detailing the vulnerability. The researchers behind the document did not identify themselves, referring to themselves only as “we.”

As Ledger says on an instructional page of its website, a “Ledger wallet generates a new address each time you want to receive a payment.” (The page was updated on February 5, and when ETHNews accessed it, the quoted text and other information pertinent to the vulnerability was highlighted in red.)

It’s in generating these addresses that the vulnerability comes into play. Ledger warns that an “attacker could be in control of your computer screen and show you a wrong address which would make him the beneficiairy [sic] of any transaction sent to it.” The report explains that this is because the wallets use a “JavaScript code running on” the computer to which the device is connected. If malware capable of perpetrating a Man-in-the-Middle attack is present on that machine, it “can simply replace the code responsible for generating the receive address” with code that will spit out an address belonging to the attacker.

Both the report and documentation available from Ledger offer guidance on how to verify a bitcoin receive address is correct. As Ledger puts it, “Click on the button looking like a monitor under the QRCODE. It will show the address on the [screen of the hardware wallet itself]. It is very important to verify that you see the same address” in both places, because if the one on a user’s monitor does not match the one on their wallet’s screen, then the address on their monitor is incorrect.

According to the report, however, such a module is not available on Ledger’s Ether wallet interface. “The Ethereum App (and possibly other apps as well) has no mitigation, the user has no way to validate if the receive address has been tampered.” Therefore, its authors recommend that “If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software-based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At least until this issue receives some kind of fix.”

By press time, Ledger had not responded to an ETHNews inquiry on whether this vulnerability threatens to affect the sending and receiving of Ether tokens.

The document also relates that the researchers behind it reached out to Ledger with their findings, and on January 27, the company’s CTO told them that “no fix/change would be done (our recommendation to enforce the user to validate the receive address has been rejected), but they will work on raising public awareness so that users can protect themselves from such attacks.”

A page on Ledger’s website under the header “Basic security principles (must read),” which was also updated on February 5, cautions users that “Using a hardware wallet doesn’t make you invincible… Don’t trust, verify.”

Adam Reese is a Los Angeles-based writer interested in technology, domestic and international politics, social issues, infrastructure and the arts. Adam is a full-time staff writer for ETHNews and holds value in Ether and BTC.

Like what you read? Follow us on X @Bitnewsbot to receive the latest , or other Ethereum wallets and exchanges news.