A vulnerability that affects every Ledger hardware wallet on the market would allow for malicious parties to show Ledger customers fraudulent receive addresses. If these users request funds to these addresses, cryptocurrency intended for them would end up in an attacker’s wallet instead.
Ledger, a company that offers cryptocurrency wallets, acknowledged on February 3 that all of its hardware wallets are affected by a vulnerability which could allow a malicious party to provide clients with false receive addresses, so that cryptocurrency intended to be received would end up in an attacker’s wallet instead.
A twitter account run by the company issued a tweet that included a hyperlink to a report detailing the vulnerability. The researchers behind the document did not identify themselves, referring to themselves only as “we.”
As Ledger says on an instructional page of its website, a “Ledger wallet generates a new address each time you want to receive a payment.” (The page was updated on February 5, and when ETHNews accessed it, the quoted text and other information pertinent to the vulnerability was highlighted in red.)
Both the report and documentation available from Ledger offer guidance on how to verify a bitcoin receive address is correct. As Ledger puts it, “Click on the button looking like a monitor under the QRCODE. It will show the address on the [screen of the hardware wallet itself]. It is very important to verify that you see the same address” in both places, because if the one on a user’s monitor does not match the one on their wallet’s screen, then the address on their monitor is incorrect.
According to the report, however, such a module is not available on Ledger’s Ether wallet interface. “The Ethereum App (and possibly other apps as well) has no mitigation, the user has no way to validate if the receive address has been tampered.” Therefore, its authors recommend that “If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software-based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At least until this issue receives some kind of fix.”
By press time, Ledger had not responded to an ETHNews inquiry on whether this vulnerability threatens to affect the sending and receiving of Ether tokens.
The document also relates that the researchers behind it reached out to Ledger with their findings, and on January 27, the company’s CTO told them that “no fix/change would be done (our recommendation to enforce the user to validate the receive address has been rejected), but they will work on raising public awareness so that users can protect themselves from such attacks.”
A page on Ledger’s website under the header “Basic security principles (must read),” which was also updated on February 5, cautions users that “Using a hardware wallet doesn’t make you invincible… Don’t trust, verify.”
Adam Reese is a Los Angeles-based writer interested in technology, domestic and international politics, social issues, infrastructure and the arts. Adam is a full-time staff writer for ETHNews and holds value in Ether and BTC.
ETHNews is committed to its Editorial Policy
Like what you read? Follow us on Twitter @ETHNews_ to receive the latest , or other Ethereum wallets and exchanges news.