Author

Topic: Advice for Existing Ledger Users (Read 290 times)

copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
February 08, 2018, 04:11:51 AM
#12
So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw Tongue

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™
Okay. Thanks for the information, I am a bit shit here while reading above posts except with this reply since I used ledger too Cheesy but the good thing I never ever used their chrome apps.
I always used electrum and mycelium to send and receive with btc using ledger and myetherwallet in ethereum.
hero member
Activity: 854
Merit: 658
rgbkey.github.io/pgp.txt
February 07, 2018, 04:23:05 PM
#11
I'm a bit late on this, but 2 days ago Ledger updated the Chrome app to prompt users to confirm the address with the one displayed on their device. This is now not only for Bitcoin but all coins. https://www.ledger.fr/2018/02/05/man-middle-attack-risk/
member
Activity: 161
Merit: 10
February 06, 2018, 04:56:21 PM
#10
Interesting topic! Half an hour ago I did not think at all and could not imagine that Leger can be hacked and I can lose all the savings ((
Thanks for increasing the level of paranoia Grin
But now, I read the topics and decided that as soon as the Grid + device appeared on the market, it would be safe to store crypto-currencies online. In the meantime, it is necessary to be vigilant and remember that we live and work in an insidious environment. There are no ideal solutions, and all users need to be informed about the advantages and potential drawbacks of all existing solutions for storing crypto currency.
hero member
Activity: 854
Merit: 658
rgbkey.github.io/pgp.txt
February 05, 2018, 10:26:23 AM
#9
So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw Tongue

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™

It's a good thing that it's possible to use Electrum or other desktop wallets to send with, but I think it's definitely still a big problem because of how many users use the chrome apps.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
February 05, 2018, 08:43:42 AM
#8
Yes, it's the Ledger Chrome App and not the device. I haven't been specific enough in the original post, sorry.
HCP
legendary
Activity: 2086
Merit: 4361
February 05, 2018, 12:06:50 AM
#7
So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw Tongue

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™
hero member
Activity: 854
Merit: 658
rgbkey.github.io/pgp.txt
February 04, 2018, 09:02:16 PM
#6
I have a Ledger and had no idea about that button that displays the address on the device. Thanks for this information.
legendary
Activity: 1288
Merit: 1087
February 04, 2018, 08:09:28 AM
#5
people weren't validating on machine already?

it should be reemphasized that the only thing a hardware wallet will do well is shield your private keys. the actual transactions are still pretty vulnerable to being hijacked.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
February 04, 2018, 07:20:06 AM
#4
It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

But for example, Trezor wallet users are enforced to use 2FA for the address used to receive. You can have your own opinion of course but hardware wallets are still one of the best methods to use and a lot better than storing on a web-based wallet lol, (which the majority does).
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
February 04, 2018, 06:42:32 AM
#3
Thanks for this info,it is something which certainly can be of concern to all users of hardware wallets.Actually it all comes down to security of user PC,if all security measures have been taken and if sending address is validated the risk is reduced to a minimum.

I assume that this threat is valid even for users who use Electrum with Ledger,or it is only affects Ledger Bitcoin Wallet in Chrome Apps?

It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

It's scary that this is "typical":

Quote
-New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

Where the average user should store coins?If hardware wallets become unsafe,what to say about any desktop or online wallets.I know that only cold storage is safe option,but 9 of 10 users do not know what is cold storage and how to make one.

Good antivirus+firewall+malware protection and some common sense,this is all you need to be safe.
sr. member
Activity: 251
Merit: 257
February 04, 2018, 05:46:43 AM
#2
It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

It's scary that this is "typical":

Quote
-New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
February 04, 2018, 04:37:48 AM
#1
An attack vector has been found last month. Nothing really critical. Users can easily be safe if they double check: Users need to validate the integrity of the address before, as a precaution. (if using ethereum app better to use  Live CD O.S.)

More details can be found in this PDF here

Quote
The Attack
Ledger wallets generates the displayed receive address using JavaScript code running on the host machine.

This means that a malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.

Because receive addresses are consistently changing as part of the usual activity of the wallet, the user has no trivial way (like recognizing his address) to verify the integrity of the receive address.

As far as he knows, the displayed receive address is his actual receive address




What Makes This Even Worse

Quote
- All the ledger wallet software is located in the AppData folder, meaning that even an unprivileged malware can modify them (no need to gain administrative rights).

- The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, meaning they can be modified by anyone.

- All the malware needs to do is replace one line of code in the ledger software, this can be achieved with less than 10 lines of python code.

- New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

- The attack changes the receive address during its generation, causing even the automatically generated QR to be updated to the attacker’s address. Meaning that both the string and QR representations of the address are compromised.

Advice for Existing Ledger Customers
Quote
If you’re using the Bitcoin App – Before every receive transaction validate the integrity of the address using the monitor button.

If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At
least until this issue receives some kind of fix.


Jump to: