Author

Topic: [2018-03-21] 15-Year-Old Hacks Hardware Crypto Wallet Ledger (Read 136 times)

newbie
Activity: 35
Merit: 0
Instead of bullying they should hire that guy as a security consultant
full member
Activity: 308
Merit: 110
This gives me a good feeling for having sticked with my old fashion paper wallets and digital wallet file backups stored on external HDD's and USBD's. The reason for me to hold off is the fact that I just never had the feeling that I can trust any of the existing hardware wallets, regardless how reputable the manufactures themselves may be.
One cannot trust anybody these days. Any software or hardware may have vulnerable and be hacked. A cold wallet is our best friend. Gold (metal) plate with engraved private key better then harware ledger, if it stored in secure safe.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
This gives me a good feeling for having sticked with my old fashion paper wallets and digital wallet file backups stored on external HDD's and USBD's. The reason for me to hold off is the fact that I just never had the feeling that I can trust any of the existing hardware wallets, regardless how reputable the manufactures themselves may be.

I even have a thin actual Gold plate where I personally engraved the private key of my main cold wallet in. It of course doesn't have to have to be actual Gold (could be any metal), but it allows me to bling things up a bit, which adds an extra touch that puts a smile on my face everytime I think about it, and it also increases its physical durability if you put it against a paper wallet. I would also love to buy myself a casascius coin last year, but slipped on that due to the premiums, which are now insane, lol. It's a perfect old school collectors item and a great cold storage tool.

Casascius premiums might not be too far off the norm in dollar terms compared to olden times, it's these forks that have muddied the waters. And as soon as you start adding extra BTC people become intensely disturbed.

What do you about physically securing your gold plate?



legendary
Activity: 2170
Merit: 1427
This gives me a good feeling for having sticked with my old fashion paper wallets and digital wallet file backups stored on external HDD's and USBD's. The reason for me to hold off is the fact that I just never had the feeling that I can trust any of the existing hardware wallets, regardless how reputable the manufactures themselves may be.

I even have a thin actual Gold plate where I personally engraved the private key of my main cold wallet in. It of course doesn't have to have to be actual Gold (could be any metal), but it allows me to bling things up a bit, which adds an extra touch that puts a smile on my face everytime I think about it, and it also increases its physical durability if you put it against a paper wallet. I would also love to buy myself a casascius coin last year, but slipped on that due to the premiums, which are now insane, lol. It's a perfect old school collectors item and a great cold storage tool.
legendary
Activity: 2408
Merit: 1121
How can you have complete peace of mind with either one?

All that has been proven is any implementation will have flaws, the rest is just semantics and PR-speak about who is more "willing" to fix it.

It doesn't make either one better, just equally targeted.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
It is somewhat worrying, especially because of the fact that I own a Ledger wallet. This once again shows that technically, just holding your private keys in paper wallet form isn't less secure, and maybe even more secure.

I might switch back to pure paper wallet form, because this isn't the first time hardware wallets have been showered with bad press, which might turn out to be well justified. Better safe than sorry.

I rather take precautions to avoid potential harm, even if this is just a 'hoax', than exposing my coins unnecessarily to high risks. It actually made me feel bad once again. Paper wallets offer less convenience, but who cares.

Yes, I'm pondering going back to paper as well.

I think exploits will just keep on battering hardware wallets. And why wouldn't they? The prize must be now unimaginably huge.

I'm sure the risk of actual compromise will always be relatively low and most of these are extreme scenarios, but hardware should mean complete peace of mind and they're turning into a pain up the arse.
full member
Activity: 411
Merit: 100
And what ? If you hold it in safe place nobody will hack it , every system have backdoors and back ways to hack them , impossible to make unchackable system i do not trust it that Smiley
And iam very glad that have peopel like that boy who a very clever to find solutions how to hack things like ledger !
legendary
Activity: 1526
Merit: 1179
It is somewhat worrying, especially because of the fact that I own a Ledger wallet. This once again shows that technically, just holding your private keys in paper wallet form isn't less secure, and maybe even more secure.

I might switch back to pure paper wallet form, because this isn't the first time hardware wallets have been showered with bad press, which might turn out to be well justified. Better safe than sorry.

I rather take precautions to avoid potential harm, even if this is just a 'hoax', than exposing my coins unnecessarily to high risks. It actually made me feel bad once again. Paper wallets offer less convenience, but who cares.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I've been following this story from the beginning,but I did not know that this 15 year old genius is also has a connection with the discovery of some problems with Trezor hardware wallet.Maybe one day he will work for one of these companies,I think it is more than obvious that this kid knows more than all their experts together.

What Saleem Rashid discovered indeed represent a security threat(we hope that this is resolved with new firmware),in a way that attacker can hack device in several ways :

Quote
An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.

I think that the greatest threat is in possibility that device can be modified before users receives it,so best way to buy hardware wallet is directly from the manufacturer-what again does not eliminate the threat completely.There is also other attacks described in this article Breaking the Ledger Security Model which shows us that hardware wallets(in this case Ledger Nano S) are not completely perfect and safe.

I just hope that new firmware is fix all security vulnerabilities,although I'm not sure is it only depends on the firmware or part of the problem is in device hardware.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
This fella is shit hot, even if he's actually 57 and 57,000 kilos. He's responsible for NEM integration on Trezor which has been a huge help to me and many others no doubt.

It's interesting contrasting the attitudes between Ledger and Trezor in these matters.

I don't have enough, or any, technical knowledge to know if he is shit stirring to build a rep or whether his findings are justified, but Trezor seem to have rather more humility. The way Ledger operate is beginning to get on my nerves somewhat.
legendary
Activity: 1264
Merit: 1008


Hardware wallet Ledger Nano S had a break in – teenage security expert, Saleem Rashid, found an issue with the “tamper-free” wallet. The story began on Nov. 2017, when Rashid reported a flaw to Ledger CTO, Nicolas Bacca, which could allow attackers to steal funds from wallet users.

Rashid had observed that the microcontroller employed in the wallet was not secure. While it allowed the use of buttons and displays to input data, it was connected as a proxy to the Secure Element (SE). The latter contained private keys which meant that a hacker could trick the SE in different ways. Here’s how: retailers and resellers could change microcontroller’s firmware which, now compromised, could verify its ‘identity’ to the SE. He further explained that the attacker could control the user interface and use their malicious code to set randomness to zero and add a recovery seed of their own choice. Rashid chose the word ‘abandon’ to prove his point in an uploaded video. Now that the attacker had the mnemonic phrase, they could get the private keys easily.

After Rashid sent the research to Ledger, he saw that the flaw wasn’t taken seriously by the team. However, they did publish a firmware update on Mar. 6, which was heavily criticized by Rashid. He posted his opinions on Twitter, since he believed that the team should either have posted it as a critical update or disguised it so that hackers didn’t get time to use this trick.

Panic spread among users, who took to Reddit to discuss their next move. Eric Larchevêque, Ledger’s CEO, replied to one such post saying it was “a massive FUD”, and that Rashid was trying to bring attention to himself, when the problem was clearly not high-priority. “Saleem got visibly upset when we didn’t communicate as “critical security update” and decided to share his opinion on the subject,” wrote Larchevêque.

On Mar. 20, Ledger published another update that explained three problems discovered by bounty program researchers: Timothée Isnard, Saleem Rashid and Sergei Volokitin. Interestingly, Rashid denied this statement because signing Ledger’s Bounty Program Agreement would disallow him for publishing a technical report, which he clearly did on the very same day. As for the new updates, Rashid explained that he wasn’t allowed to receive the ‘release candidate’ by the company, but he believed that the new fixes were not completely free from hacker attacks.

“Is it truly possible to use a combination of timing and “difficult to compress” firmware to achieve security in this model?”, wrote Rashid. He received support from cryptographer Matthew Green, who explained in a lengthy Twitter thread how the teenager was able to break through Ledger’s secure tactic.

The teenager, who lives in U.K., previously uncovered a problem in cryptocurrency hardware wallet TREZOR One. The issue was resolved with a healthy communication between both parties. SatoshiLabs CEO, Marek Palatinus, even praised Rashid for his work, “His out-of-the-box thinking and creative approach help us to make an even more secure product.”

Code:
Source: https://www.ccn.com/15-year-old-hacks-hardware-crypto-wallet-ledger/
Jump to: