Ledger: Recently Discovered Wallet Vulnerabilities Not Critical

Published on by Cointele | Published on

Ledger claimed that recently uncovered vulnerabilities in its hardware wallets are not critical in an official Medium blog post on Dec. 28.Yesterday at the 35C3 Refreshing Memories conference in Berlin, researchers claimed that they were able to hack the Trezor One, Ledger Nano S and Ledger Blue cryptocurrency wallets.

In the post, the company explains that there appeared to be "Three attack paths which could give the impression that critical vulnerabilities were uncovered," but according to them "This is not the case."

The reason Ledger says that the vulnerability is not critical is that "They did not succeed to extract any seed nor PIN on a stolen device" and "Sensitive assets stored on the Secure Element remain secure."

According to the company, the Ledger Nano S vulnerability "Demonstrated that physically modifying the Ledger Nano S and installing malware on the victim's PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin app is launched."

Ledger also claims that the demonstration of the Ledger Blue attack is "a bit unrealistic and not practical," claiming that "The position of the receiver and the attacked device must be exactly the same,  the position of the USB cable is also paramount."

"This attack is definitely interesting, but does not allow to guess someone's PIN in real conditions."

Because of this vulnerability, Ledger stated that the next Ledger Blue firmware update will feature a randomized keyboard for the pin.

The company also stated that they "Regret that the researchers did not follow the standard security principles outlined in Ledger's Bounty program." According to Ledger "In the security world, the usual way to proceed is responsible disclosure. This is the model in which a vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users."

In November, Ledger announced its expansion to New York in order to develop its institutional custody offering Ledger Vault.

The company also recently signed an agreement with crypto payment startup Crypto.com to allow users to pay for its products with cryptocurrencies.

x