RateLimited°C
11-05-2024
Breaking News
BSV
$46.38
Vol 15.17m
0.11%
BTC
$68788
Vol 45232.68m
0.35%
BCH
$338.84
Vol 268.46m
0.44%
LTC
$65.41
Vol 352.99m
-1.65%
DOGE
$0.17
Vol 3759.29m
9.39%
  1. Homepage
  2. >
  3. News
  4. >
  5. Tech
  6. >
  7. Ledger admits to possible wallet firmware flaw
Getting your Trinity Audio player ready...

In a recent article written as a how-to, Medium blogger Paris Cormier described a set of instructions on how to successfully infiltrate a Ledger wallet. The instructions, which followed a fully-detailed Docdroid.netdisclosure,were posted for educational purposes to prevent the hack from being replicated and protect users who may fall victim to it.

The hardware wallet company acknowledged this vulnerability in their product with a tweet claiming that the “man in the middle attack” can be mitigated by verifying the receive address on the device’s screen. This is done by clicking the “monitor button” found in the wallet’s interface.

Following a report from news.bitcoin.com last month in which a man’s life savings were stolen from a hardware wallet supplied by a reseller, the news that Ledger’s hardware wallets are vulnerable has been met with anger from cryptocurrency users. The man described in the report is Redditor u/moodyrocket, who claimed that he has “[…] not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week.”

Cormier’s guide describes Ledger wallets as “one of the many that generate new public keys for each receiving transaction.” Such transactions are done by executing JavaScript code which runs from the client-side. According to the guide, “This means that malicious code can easily replace the automatically generated receiving address with a hacker’s.”

Given how public keys are changed regularly, users may not suspect any issues that would arise from this process. Users also have no viable method to verify the validity of the receiving address, without resorting to external or third-party applications to manually verify addresses.

Here’s an illustration of the hack as posted by @LedgerHQ on Twitter:

Recommended for you

How to construct transactions on BSV blockchain with Python
How to construct transactions on BSV blockchain with Python
Python coders, it's time to start learning how to build Bitcoin transactions as nChain's Senior Software Engineer, Arthur Gordon, recently...
By Jon Southurst
November 5, 2024
BSV Association joins OnlyDust’s developer event sponsor list
BSV Association joins OnlyDust’s developer event sponsor list
OnlyDust is a network for open-source developers working with blockchain and decentralized projects; its purpose is to connect contributors, maintainers,...
By Jon Southurst
October 23, 2024
Advertisement
Advertisement
Advertisement