Teen finds a hole in Ledger security
The first security flaw was discovered by fifteen-year-old Saleem Rashid, of the UK. He found a hardware-based security flaw that is present in all models of Ledger wallets. The vulnerability is due to proprietary code that is used to secure the devices, which can be hacked if a criminal has physical access to a wallet.
In cases where wallets are being sold second hand, it is entirely possible that a thief could infect a wallet with malware, leaving the door open for later access, and then resell the item. Also, resale vendors could be selling wallets that have been previously tampered with, unbeknownst to them.
The new owner would not be able to tell if the wallet had been compromised, and there is currently no way to check for that kind of tampering. Ledger now officially warns customers about MCU fooling. However, they say that since there has been no real example of this kind of breach occurs, the likelihood of being attacked this way is low.
Sergei Volokitin discovered the second way that criminals could exploit the Ledger wallets. His attack required that criminals be in contact with the device in order to take advantage of its contents. Again though, if an unsigned application were installed on that device, it could open the door for malware.
Timothee Isnard discovered an Oracle padding attack that would decrypt parts of the data stream between a Ledger device and the network. Ledger acknowledged this vulnerability but says they are not worried about it. The decryption only exposes a few bytes of data, nothing to do much damage with. Nevertheless, the company has updated the SCP by adding the MAC piece that prevents the breach. There are also security measures server-side that prohibit the hack.
Ledger hardware wallets had been heralded as the most secure way of keeping crypto balances. The devices are physical items that work on a proprietary network. Some claim that open source hardware could help to mitigate issues like these in the future. For now, though, Ledger has responded by dropping a firmware update. The update was released on March 6 and is version 1.4.1.
For their efforts in creating a more secure digital life, the three white hats are eligible to be paid bounty by Ledger, as of yet, no amounts have been released.