2 Ledger Nano exploits reported in single week

A major vulnerability in Ledger’s software has been publicly disclosed by Liquality developer Mohammed Nokhbeh. According to Nokhbeh, there is a vulnerability in Ledger’s software that takes BTC out of a user’s wallet when they trying to make a transaction with any of the Bitcoin hard forks.

“It was discovered that for BTC and Bitcoin forks, the device exposes its functions for any of the assets,” said Nokhbeh. “In other words, having unlocked the Litecoin app, you will receive a confirmation request for a BTC transfer while the interface presents it as a transfer of Litecoins to a Litecoin address. Accepting the confirmation produces a fully valid signed BTC (mainnet) transaction.”

The public disclosure comes less than a week after it was discovered that Ledger had been the victim of a breach in which 1 million customer email addresses as well as the first and last name, postal address, phone number, and ordered products of 9,500 customers was compromised.

Ledger knew about the vulnerability

Nokhbeh said Ledger knew about this vulnerability for more than a year but declined to fix it. Nokhbeh first made Ledger aware of the issue in January 2019 when he submitted a detailed report of the attack vector to Ledger’s bounty program. However, Nokhbeh says he quickly learned “that they [Ledger] weren’t motivated to see this issue to completion.” After going back and forth with the company for over a year, often following up with Ledger only for them not to respond, the 90 day disclosure period finally came to an end, and Nokhbeh publicly disclosed the vulnerability on his own website.

What will Ledger do?

Shortly after Nokhbeh published his public disclosure, Ledger quickly updated their software to eliminate the attack vector. In addition, Ledger made an announcement on their site acknowledging the software update, and made a weak attempt to explain why it took them so long to update their software, saying that:

“The reporter (Nokhbeh) sent Twitter DM messages that were missed by most of the security engineers. Indeed, the bounty@ledger.fr email address is the only way to reach the whole security team.”

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.