Ledger Wallet
Advertisment


A 15-year-old discovered a vulnerability in the Ledger Nano S Wallet, which allows him to redirect transactions and manipulate both seeds and recovery passwords. In collaboration with Ledger developers, they have now developed an update for the offline wallet that should be installed.

Hacker Saleem Rashid announced on his blog on March 20 that he had cracked the Ledger Wallet. The backdoor that Rashid developed is 300 bytes small, and makes the device create pre-made wallet addresses and recovery passwords for the attacker. The attacker can use these passwords in a new hardware wallet to restore the private keys of the old devices for these passwords.

You want the latest news about Crypto? Sign up to our weekly Newsletter!


Using the same approach, attackers could make similar interventions. For example, they can manipulate the destination addresses and quantities of transferred cryptocurrencies. Attackers could use this to redirect transactions to their own wallets.

In the message for the update from 06.03. however, Ledger’s chief security chief stressed that the gap was not a critical one. Charles Guillemet stressed that the attackers are unable to read the private keys. Rather, he said that Ledger could identify compromised wallets when connecting to the Ledger server.

Rashid doubted the safety of the Ledger Wallet

Rashid once again doubted this statement, saying that even if the issue were resolved with a minor modification, he could crack the system again.

The vulnerability that Rashid tackles is, according to him, in the secure microcontroller (Secure Element) from Ledger. This communicates with the “general-purpose microcontroller”, which Ledger calls MCU. The MCU, in turn, communicates with the rest of the hardware wallet, such as the USB host, the OLED display, and the buttons that the users must operate. Rashid’s approach is now to replace the original firmware with a wrong code. At the same time he manipulates the MCU, that this sends to the safe microcontroller the seemingly real picture.

Speaking to online magazine Ars Technica, Matt Green of Johns Hopkins University voiced doubts as to whether Ledger’s first update would eliminate the issues:

“Ledger is trying to solve a fundamental problem here. You need to check the firmware running on a processor. But your security chip can not see the code running on the processor. So you have to make the processor work with your own code! This would be a catch-22, because the processor could possibly work with wrong code, which is not to be trusted. It’s like asking someone who might be criminal if he’s revealing his criminal record for reasons of honesty. “

Ledger was able to close a security hole

However, the Ledger development team has closed this vulnerability. So they took steps to prevent the MCU from sending false code to the Secure Element. This requires the MCU to forward the entire contents of its flash memory. However, the MCU has a relatively limited amount of flash memory. In order to inject wrong code, the MCU theoretically has to store the official firmware and the wrong code. The storage capacity of the MCU should thus prevent this type of attack.

Rashid allegedly avoided this mechanism by first realizing that the MCU included both the boot loader and the firmware, and that some parts of the software functions, the compiler intrinsics, were also identical. He eventually removed these intrinsics and replaced them with malicious code. If the Secure Element then asked the MCU for the content, the 15-year-old created a (seemingly) legitimate image to trick the device. As a result, the device verified the fake firmware.

As a result, the device then generated wallet addresses and recovery passwords that the attackers could control. Ultimately, Rashid indicates that it can generate passwords that happen randomly to users but are known to attackers. According to Rashid, this vulnerability could be exploited by allowing malware to be infiltrated with a short access to the devices and computers to infect the devices.

Firmware update promises security

Ledger responded immediately to this problem. On March 20, they released an update that fixes three security issues. With the update it is now possible to check the integrity of the device and to guarantee that the devices are not infected. The Seeds and Private Keys are safe with that.

In cooperation with the two security experts Timothée Isnard and Sergei Volokitin, Rashid himself and Ledger ensured that the security loopholes were closed. You strongly recommend updating the firmware of the ledgers to version 1.4.1 to eliminate all security threats.

In six steps to update the Ledger Nano S

The first step is to open the Ledger Manager on the PC and connect the Ledger to the PC. If the device is new, you have to press the right button while connecting the cable. After 5 seconds, the device will display “Recovery” and you will be taken to the dashboard. If the device is already configured, you must connect it regularly and enter its pin.

In the second step, synchronize the Ledger Manager with the wallet and wait for the dashboard to appear.

In the third step, click on the firmware menu in the upper left corner of the Ledger Manager on the PC. Then you have to click on the green arrow in the line “Firmware Version 1.4.1.” And on the “Install” button. Finally, you have to confirm this step on the device itself. If an error message appears, this does not necessarily mean that the device is infected. You then have to uninstall all applications from the device and start the update again.

Important: Check the version number of the update

In the fourth step you have to wait until the message “Update Firmware” appears on the display. Here it is important to make sure that it is actually version 1.4.1. is. Finally, you have to check whether the update identifier shown on the display matches that in the Ledger Manager screen.

In the fifth step you have to press the right button on the Nano S and wait until the display shows the request for pin input. After entering the pin, the display should read: “MCU firmware is outdated.” Then you should unplug the device briefly and plug it in again while holding down the left button. Then the word “Bootloader” should be displayed. The Ledger Manager then displays the message “Restoring MCU”. During the update should then be on the display “Update”. In the manager, you must see “Installing Firmware, please wait, this might take a few moments”. If the ledger does not respond for a long time, wait 5 minutes to close the Ledger Manager and begin the process again.

Confirm one last time

In the sixth step you have to go to “Settings” in the Ledger menu to make sure that the installation went smoothly. By pressing both buttons, you open the tab and go to the “Device” menu. Again, press both buttons again and select “Firmware”. Using the same procedure, select “Secure Element 1.4.1”. By clicking on the right button, you can finally check whether the MCU version has the number 1.5.

In the last step you have to install the applications again or reinstall – the ledger should now be safe again.

image by shutterstock