Cryptocurrency hardware wallets are considered to be the most secure when it comes to storing your digital assets. But apparently, not that secure, seeing as a 15-year-old figured out how to hack one.
Saleem Rashid, a 15-year old from the UK, managed to backdoor the leading Ledger Nano-S wallet and claims that many can also hack these wallets, considering that most of them are now sold through third party distributors such as Amazon and eBay.
This means that a malevolent seller can embed malicious code into the wallet, which would allow him to steal the assets from the user’s crypto account.
Rashid revealed on his personal blog that the code targets the device’s micro-controllers. One of the micro-controllers handles the storage of the private key, and the other one acts as a proxy, showing functions and a USB interface. The last one is far less secure, and can’t differentiate between genuine firmware and malicious code.
This means that a wallet that was previously owned by someone else could generate fake passwords for the new users, or an attacker could alter the destinations and payments of the wallet.
The Ledger team said that these vulnerabilities were indeed dangerous but preventable. Regarding the attack, they wrote: “by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller.”
“If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised,” said the Ledger team.
Ledger then claimed that the teenager was affiliated with their main competitor, Trezor. To this accusation the teenager responded: „I’m hearing from multiple sources that @LedgerHQ are pushing the ridiculous narrative that I have some sort of affiliation with @TREZOR. This is a pathetic attempt to undermine my integrity, by claiming that I am not “independent”.”
Ledger has issued a patch for the Ledger Nano S, four months after Rashid first found the problem.
This breach is a reminder that buying certain items preowned can lead to some costly losses, so it’s always best to buy directly or from a trusted retailer. It also reminds us that hardware wallets are a secure option for storing cryptos, but still not ‘unhackable’. This is why you must perform regular updates and carefully manage your keys.