A teenage hacker has discovered a flaw in Ledger, a popular hardware wallet that could essentially enable hackers to grab secret PINs before or after the shipping of the devices.
Hardware wallets are designed to protect the user’s private keys from malware that could be found on the user’s computer. In essence, the devices enable crypto transactions through a USB port on the user’s computer without revealing the private keys to the PC.
Describing the vulnerability in his blog, 15-year-old programming prodigy Saleem Rashid has revealed that the device is open to a “supply chain attack” wherein a hack could compromise the device before it was even shipped, or another attack that could essentially see a hacker steal private keys after the device was initialized to a customer.
The inherent problem is that Ledger’s devices contain a secure processor chip alongside a microcontroller chip that isn’t secure. The latter is used for a number of non-security related purposes including handling the USB connections as well as displaying the LED text on the wallet’s display. However, the two chips, both secure and insecure, pass information between each other. The teenaged hacker discovered that an attacker could compromise the insecure microcontroller on to run malicious code without being detected.
In response, the Ledger team described the vulnerabilities as dangerous, but avoidable.
“By having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller,” Ledger said, referring to the supply chain attack.
“No one was compromised that we know of,” added Ledger CEO Eric Larchevêque said. “We have no knowledge that any device was affected.”
The hardware maker has since released a firmware update which it claims has resolved the vulnerabilities.
Image credit: Ledger.