Manufacturer of hardware wallets Ledger has released a software update that restores some of the gaps in the security system. The vulnerability was discovered by three independent programmers, one of whom, Salim Rashid (Rashid Saleem) — fifteen-year-old boy from the UK. They discovered the attack vector is not limited to hardware and devices Ledger, making it difficult to fight with him only with software methods.
On 20 March, the Ledger company launched an updated version FOR 1.4.1, accompanied by the release of the article in the blog, guaranteeing «a thorough analysis of security issues»:
«Following the principles of transparency and accountability in the disclosure, we provide a full detailed analysis of the resolved vectors of attacks that are performed by the firmware 1.4, which first reported three researchers of computer security. Since the publication of the technical details can raise the threat level has not been restored to devices, we strongly recommend users to update the software».
The greatest attention is attracted Salim Rashid, detected malicious code, both because of the young age of the researcher, and it is published containing a detailed explanation of how he managed to find the problem.
«An attacker may use this vulnerability to hacking the device before the user receives it, or to steal with the device private keys physically or, in some cases, remotely — explains Rashid, I demonstrated this attack on a real device Ledger Nano S. in addition, a few months ago I sent the source code to the company Ledger, so they could reproduce».
Enthusiast refuses compensation
Company Ledger States that security professionals were asked to sign an Agreement on compensation as a condition of payment for their work, and at the same time noted that this does not prevent them to publish their own reports. The article says that it is assumed that all three experts gladly accepted the offer, but it is not. In fact, Rashid refused compensation, explaining it as follows:
«I have not received remuneration from the Ledger, as their agreement to disclosure does not give me the right to publish a technical report. I have chosen the publication of the report instead of receiving remuneration from the Ledger, mainly because the head of the Ledger Eric Sarcevic (Eric Larchevêque) made some comments on Reddit, which was full of technical inaccuracies. As a result, I became concerned because the vulnerability can explain to customers is not quite right.»
The young programmer finds that the Ledger want to reduce the severity of discovered vulnerabilities. Publish a full and Frank account of how he hacked the Ledger wallet and a waiver of the right to remuneration, did not hurt his reputation. Saleem Rashid clever, and his article on the exploit long, but it will be interesting to all interested in this issue.
In all the confusion remains outstanding the issue of the security of wallets Ledger. Lecturer of cryptography Matthew green (Matthew Green) has published a Twitter in response to the publication of Rashid, in which he discussed the difficulty of preventing hardware attacks of this type. At the end of the publication, he assured:
«Nothing in the publication or detected threat does not mean that you should be afraid of these vulnerabilities, or you have to go to other wallets. Just be careful».
Ledger users should upgrade to the latest firmware version, however, reason for concern. Attacks like the one demonstrated by Salim Rashid, first of all, show the difficulty of creating devices that are immune to all known types of attacks.