Tech 11 months ago

Vince Dioquino

Ledger admits to possible wallet firmware flaw

In a recent article written as a how-to, Medium blogger Paris Cormier described a set of instructions on how to successfully infiltrate a Ledger wallet. The instructions, which followed a fully-detailed Docdroid.netdisclosure,were posted for educational purposes to prevent the hack from being replicated and protect users who may fall victim to it.

The hardware wallet company acknowledged this vulnerability in their product with a tweet claiming that the “man in the middle attack” can be mitigated by verifying the receive address on the device’s screen. This is done by clicking the “monitor button” found in the wallet’s interface.

Following a report from news.bitcoin.com last month in which a man’s life savings were stolen from a hardware wallet supplied by a reseller, the news that Ledger’s hardware wallets are vulnerable has been met with anger from cryptocurrency users. The man described in the report is Redditor u/moodyrocket, who claimed that he has “[…] not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week.”

Cormier’s guide describes Ledger wallets as “one of the many that generate new public keys for each receiving transaction.” Such transactions are done by executing JavaScript code which runs from the client-side. According to the guide, “This means that malicious code can easily replace the automatically generated receiving address with a hacker’s.”

Given how public keys are changed regularly, users may not suspect any issues that would arise from this process. Users also have no viable method to verify the validity of the receiving address, without resorting to external or third-party applications to manually verify addresses.

Here’s an illustration of the hack as posted by @LedgerHQ on Twitter:

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true  Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.
Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Satoshi Vision (BSV) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BSV is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

COMMENT

Your comment is awaiting moderation.

Teen exposes security vulnerability in Ledger hardware wallet – CRYPTOTIMES.MOBI

[…] hardware wallet Ledger has been found to contain a major security flaw, which could enable hackers to steal funds from users through a variety of different […]

Your comment is awaiting moderation.

Ledger announces native desktop apps, sets roadmap for Android and iOS – CRYPTOTIMES.MOBI

[…] being met with flaws and vulnerabilities in recent news, the hardware wallet company has pushed to recreate its software in such a way that […]

Your comment is awaiting moderation.

Ledger admits to possible wallet firmware flaw – Wu Wei Dao

[…] : Ledger admits to possible wallet firmware flaw In a recent article written as a how-to, Medium blogger Paris Cormier described a set of […]

Your comment is awaiting moderation.

Add a Comment

lastest news

Craig Wright on the (non)viability of quantum computing attacks

Tech 23 hours ago

Craig Wright on the (non)viability of quantum computing attacks

Some have expressed concern that advancements in quantum computing would render existing forms of encryption as ineffective. If speculators are to be believed, blockchain would no longer have its advantage of immutability as achieved through ...

Read More
Money Button rolls out JavaScript library, mnemonic tool for Bitcoin SV

Tech 3 days ago

Money Button rolls out JavaScript library, mnemonic tool for Bitcoin SV

Bitcoin SV now has a “pure and powerful” JavaScript library, courtesy of Money Button. bsv, a library for cryptography, key management and transaction building for Bitcoin SV, was introduced early this week, marking yet another ...

Read More
Blockchair adds BSV block explorer

Tech 4 days ago

Blockchair adds BSV block explorer

Bitcoin SV (BSV) is developing as anticipated, not missing a single beat. The only cryptocurrency that understands why digital currency was developed is gaining ground and has begun to garner more public support. The latest ...

Read More