A young Brit named Rashid has found a way to outwit hardware wallets manufactured by Ledger for criminal purposes.
A young Brit named Rashid has found a way to outwit hardware wallets manufactured by Ledger for criminal purposes.
The small crypto currency wallets of the French company Ledger promise to be safe against unauthorized manipulation. According to the manufacturer, the devices in size of USB sticks were sold millions of copies worldwide. However, 15-year-old Briton Saleem Rashid has now proven that there is a way to manipulate the cryptocurrency purses and deduct Bitcoins, ethers or other cryptocurrency units.
Minimalist malware
As Ars Technica reports, Rashid managed to outsmart the Ledger products Ledger Nano S (purchase price around $ 100) and Ledger Blue (around $ 200) with only 300 bytes of code. Rashid takes advantage of the design of the hardware wallets. The vulnerability sits in the communication between a secure microcontroller and a second microcontroller, which is needed to enable the communication of Ledger products via USB and the operation via OLED and push buttons.
Bad cleaning ladies
The hack consists of injecting a new, manipulated firmware that creates access codes given by the attacker. This would allow an attacker, for example, to redirect cryptocurrency transfers to the attacker's wallet or even modify transferred totals. To bring the manipulated firmware update on the device, of course, you need physical access to it. As Rashid describes on his blog, a so-called "Evil Maid Attack" would be conceivable. Someone who has only a short access to the Ledger product - such as a malicious cleaning lady - could perform the firmware update.
Manufacturer appeased
Rashid informed Ledger about the vulnerability back in November. The company has since delivered a firmware update that blocks Rashid's accessibility. According to Rashid, the fundamental problem lies in the hardware architecture of the devices (and its two microcontrollers). Similar attacks can be relatively easily reproduced in his opinion. Meanwhile Ledger stresses that the gap found by Rashid is not critical.
"Hacker-genius"
Security researcher Matthew Green of Johns Hopkins University (also mentioned in another context on futurezone) has analyzed Saleem Rashid's work and spoken to the British. As for Rashid's performance, he says, "He's one of the most talented 15-year-olds I've ever dealt with, a true hacker genius, what he did is clever, creative and devastating, and that's when he turns out to be in reality a 35-year-old, he would still be really talented, but my trust in humanity would be disturbed. "