Topic: is the ledger can be hackable ? (Read 245 times)

It depends on what is meant by Ledger. If we are talking about a company, then you correctly said that this company was hacked with the theft of personal data of their customers. If by Ledger we mean their hardware wallet, then no, these devices have not been hacked by hackers at the moment. Enthusiasts and the bounty programm participants previously found ledger wallet vulnerabilities, but these vulnerabilities have already been fixed in new firmwares.

I guess any device can be hacked. It's just a matter of time and resources. Ledger including.

This means that no human effort is the most perfect. Even though after creating the most sophisticated security system, there are still gaps for hacker to enter and break into it. Yes. There are 2 sensations that they get there. Satisfied and get money.

And not just Ledger, but most other HWs that operate on the same principle, and especially if they start acting like Ledger in a rather strange and irresponsible way. In fact, for years since the massive data leak from this company happened, trust has been lost, and if you do not have confidence in someone or something, it becomes completely irrelevant whether something can be hacked or not.

I will not say that there are no HW that do not have really high standards at the moment, but I think that in the future we should refrain from recommendations when it comes to such devices. A properly made airgapped wallet is something I would still put in the first place when it comes to safe storage of private keys.

The attacks you mentioned require physical access to your hardware wallet, and some time based on the experience of the hackers, so whenever you lose access to your wallet, you must quickly transfer your money.

To avoid these attacks, all that is required of you is to be more careful, do not click randomly on links, and you must use an open source operating system.

Data leakage is not related to the customer's money or the security of the wallet, it is to the customer's privacy, which is basically not the goal of these wallets.

---

@teoliya33  The Ledger problem is that you need to update the firmware, and the latest update contains the Ledger Recovery service that encrypts and accesses your private key, which may mean that third parties may be able to access your currencies and that they are not generated offline.
This may cause future problems but for now you can use Keystone 3, Coldcard or DIY HW.

https://bitcointalksearch.org/topic/ledger-recovery-send-your-encrypted-recovery-phrase-to-3rd-parties-entities-5452900

I think many users are confuse between hack and attack.

Phishing, malware, keylogger, spyware or anything that caused by the user fault, isn't hacking, but these are online attack.

While hack mean the user didn't do any fault, they have make sure they're not do anything wrong, but someone access their wallet. Since ledger send the encrypted private key to other partners, this mean if someone can break the encrypted file, they can access your wallet even you're didn't do anything wrong.

So in summary, ledger is hackable.

Anything is hackable even the NASA is hackable then what is Ledger in front of it. hehe. Just kidding. but i mean the statement of anything is hackable because let's say you have a ledge Hardware wallet, which you wanted to update but you downloaded the latest version from a wrong website (or i would say from the hacker's website) then your ledger will be hacked. Or if you are connecting your ledger with a website, platform or any computer which has backdoor integrated by hackers. Then your ledge will be compromised too.

Overall, until you will not allow hacker to get into your system, either it is down by intentions or unintentional but in both scenario Hackers will find a way to get into your ledger. So, best practice is to remain active and be aware of all the currently on going flaws, backdoors, hacks and scams in the market. Because once you knew those scams then you will be able to avoid from them. Just like a latest case recorded here in which OP opened his wallets after quite some time and did not catch with the latest information that the old version of Electrum had phishing links which will show messages to you to upgrade your Electrum by using their provided link and once you will do that your assets are gone. (that's quite sad because that person got scammed with 600 ponds i think) (Source .

The point is, you have to keep an eye on all the news related to ledger and have to remain up-to-date with all the versions and information and what to do and what not to do points so that you could be able to save your assets and avoid hacking of your ledger too.

Just a heads up that while the Ledger recovery service thing is definitely worrisome, these data leaks doesn't credit nor discredit Ledger hardware wallets' security. These data leaks are in the Shopify(eCommerce arm) side of things.

Data leaks only compromises the privacy not the security of our funds since the private keys are generated and stored in the local storage alone not in the online servers which means the funds will be safe as long as the private keys are safe.

About their recovery service which is highly risky, we are giving away our private keys to stored in their servers in the encrypted form but it doesn't ensures 100% security like our own custody. Anyway its optional so whoever pays money and requires that service are vulnerable to it not everyone who own ledger.

The Ledger hardware wallet may no longer be considered safe due to a recent firmware update that could potentially lead to data leaks. I think Its more advisable to consider using an alternative hardware wallet, such as Trezor, or even opting for an air-gapped device.

I want to add that even with Ledger or any other hardware wallet, there are still security risks if you store your seed phrase online or if someone gains physical access to it. In addition to that phishing links can also pose a hacking threat.

Ledger has been hacked already from the inside.
They are closed source device and they recently announced controversial Recovery function that makes it very unsecure, since your seed phrase is not only yours but they shared it with different company partners.
On top of that, they got personal customer data leaked and this information was released in public several times, so they don't know how to secure user data very well.
Stay away from ledger wallet and choose other open source devices!

I do have one but an old model. However, it's genuine and 100% working as of now. I never opted to use their Ledger Recover feature which doesn't define them anymore as a 100% offline and non-custodial type of wallet.

Although it is optional but I would never opt for it anyway. I've kept some of my most important assets there like Bitcoin, Ethereum, etc.

It can be hacked once I am careless of inputting my seed phrases to a 3rd party website or app despite that it is generated by a hardware wallet.

So there are various types of hacks which we are talking about and if you already have malware in your system where you connect the ledger to, then there is basically no use of hardware wallet. It will surely manipulate the address when you try to send Bitcoin or any other crypto-asset or If you copy your wallet address to send it to someone, it will also be replaced.

Other than that, If you are talking about attacks on Ledger itself, there are some of those possible however you would be pretty much fine if you don't allow third person to touch your device.

If you're the usual internet user and aware of what you're downloading, there's nothing to worry about. If you're the type of person that do likes to download crack version of software, and easily attracted to unsolicited links. That's the time that you have to worry.
All system can be hacked and that's why Ledger keeps on updating their software and firmware. But that doesn't mean you should be confident because most of the users that have been hacked is because of their own fault and negligence.

It is difficult to hack a hardware wallet because it stores keys offline, that's not to say that you can't be hacked if you use a hardware wallet, but it'd have to be as a result of your own folly, or if you buy one that has been tampered with. Let's say you receive a phishing email that deceives you to enter your recovery phrase, if you fall for it, the attackers will steal your assets, and a hardware wallet cannot save you in that situation.

Hardware wallets can also be hacked if the physical device is stolen, but in that case if you have a strong password and passphrase you should be able to move your assets to a new wallet with your recovery phrase before any harm can possibly be done. Having said that, Ledger is a bad choice of a hardware wallet, your recovery phrase should be kept by just you, but Ledger in their new update have made it known that they can extract it and send it to third parties all in the name of spurious security; thus you had better choose another hardware wallet if you have intentions of buying one.

Ledger wallet was one of the top most used hardware wallet before some vulnerability was discovered on it for less security safety which means, there could be any chances of getting attacked through the use of malware on the device you're using when handling a ledger hardware wallet, some of these attacking vulnerabilities makes it more disastrous to use them and people detect this privacy bridge of third party as a means to introduce any harm to thebuse of this same wallet, there are other more secured hardware wallets aside ledger, or maybe you make use of an electrum cold storage wallet on an airgapped device or run a full node.

There have been some instances in the past where ledger has suffered some hacks but it's because of the people who give their seed phrases to others which drained their funds or say data leak from third party companies that exposed users mails causing these funds loss but still it was good option for hardware wallet except some model which have battery issues or others but if you have gone through this thread Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities have made them loose business as they are sharing keys with others which totally vanish the concept of your keys.

So this has lead to disappointment among users of the wallets and they are now turning more to Trezor because of this but if you are asking for direct hacks then it was not the case but somehow data leaks have caused this issue.

What wallet you use, it is important to have good Internet habit. Do it healthy and carefully, our devices will be clean and we are safe, our bitcoin will be safe as well.

And don't buy used (second hand) Legder wallets. If you can not buy a complete new Ledger wallet, you can find alternative with free non custodial wallets and you can set up multisig wallets or cold wallets. It is safer than buying a second hand hardware wallet and use it with fear that you will lose your bitcoin.

Malware poses a significant risk to your Ledger, including Trojans and ransomware. If your Ledger gets infected with a Trojan virus, it can steal your seed. On the other hand, if it gets infected with ransomware, you may lose access to your seeds. Attackers will demand a ransom to restore access, or you may be unable to recover them. Always remember to back up your seeds.

To prevent malware infections, be cautious while browsing online. Enable security features like two-factor authentication and keep your anti-virus software up to date for better protection.

Most possible scenarios that target ledger wallet can be found in the following official ANSSI docs:

https://www.ssi.gouv.fr/uploads/2019/10/anssi-cible-cspn-2019_12en.pdf
https://www.ssi.gouv.fr/uploads/2019/02/anssi-cible-cspn-2019_03en.pdf

which describe threats and relevant countermeasures implemented in  both X and s models of devices.

Despite that those docs are vast in their analysis they lack the latest scenario that may occur with Ledger's decision to share user's SEED phrase with 3^rd parties. More on that you can find when  reading dedicated forum's thread.

The phone or computer that you are using with ledger should no have malware. If it has malware, hardware wallet can resist malware than online wallets, but not all malware can hardware wallets resist. Avoid clipboard malware because it is on your phone or computer that you will copy and paste the address.