Tech 9 months ago

Ed Drake

Teen exposes security vulnerability in Ledger hardware wallet

Cryptocurrency hardware wallet Ledger has been found to contain a major security flaw, which could enable hackers to steal funds from users through a variety of different methods.

The exploit was identified by a teen digital security expert, Saleem Rashid, earlier this week and undermined Ledger’s claims to be ‘tamper-free.’

Upon discovering the exploit, Rashid contacted Ledger CTO Nicolas Bacca to report his findings. The flaw theoretically allows retailers and resellers to load compromised firmware, which would be successfully verified by the device via its connection to the Secure Element.

As soon as the compromised device is used for storing cryptocurrency, the hacker could then successfully recall the relevant private keys, which would effectively allow them to walk away with the contents of the wallet.

According to Rashid, his initial referral of the security flaw was dismissed by the firm, who refused to engage seriously with his recommendations. Nevertheless, a firmware update was released, which went on to attract further criticism from the teenager.

The findings have divided opinion amongst the cryptocurrency community, with some users suggesting the flaw wasn’t as serious as Rashid had initially suggested.

Responding to user comments on Reddit, Ledger CEO Eric Larchevêque described Rashid’s technical report into the flaw, published on his blog, was ‘a massive FUD’, and disclosed as a reaction to the firm’s unwillingness to treat his findings seriously.

“Saleem got visibly upset when we didn’t communicate as ‘critical security update’ and decided to share his opinion on the subject,” the Ledger CEO said.

Ledger subsequently published an update, explaining three separate security issues identified by a team of bounty programme researchers. Notably, Saleem Rashid was included amongst the three security experts working on the project—something Rashid himself has denied.

The move follows on from Rashid’s earlier work, most notably in identifying similar flaws with the TREZOR One device. The flaws identified in this case were more warmly received, and even garnered public praise for Rashid from the firm’s CEO.

Nevertheless, it seems not all hardware wallet manufacturers are as open to discussing security flaws with independent researchers like Rashid, and in any event, often less willing to release critical security updates to patch these flaws.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Satoshi Vision (BSV) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BSV is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

COMMENT

Add a Comment

lastest news

Australian insurance company asks, “Where’s the beef?”

Tech 6 hours ago

Australian insurance company asks, “Where’s the beef?”

An insurance company working for the truck and transport industry in Australia wants to know where’s the beef. According to a report on Australasian Transport News (ATN), National Transport Insurance (NTI) has begun a partnership ...

Read More
Wirex now supports IBAN system for its crypto debit cards

Tech 1 day ago

Wirex now supports IBAN system for its crypto debit cards

Cryptocurrency enthusiasts in the European Economic Area (EEA) can now take advantage of the Wirex crypto debit card in even more ways. Wirex has announced that cardholders across the EEA are able to add funds ...

Read More
Developer shows how double spending can occur on Bitcoin SV misses mark

Tech 2 days ago

Developer shows how double spending can occur on Bitcoin SV misses mark

One of the reasons cryptocurrency hasn’t taken off as an alternative to fiat as quickly as many enthusiasts would like is because there is generally a wait time associated with the transactions. This delay is ...

Read More