Bitcoin Forum>Bitcoin>Bitcoin Discussion
Author

Topic: Ledger App Isolation Bypass Vulnerabilities (Read 206 times)

Baofeng
legendary
Activity: 2576
Merit: 1655
Ledger App Isolation Bypass Vulnerabilities
August 06, 2020, 02:04:23 PM
#6
Quote from: bitmover on August 06, 2020, 11:23:01 AM
Quote from: chronicsky on August 06, 2020, 06:43:36 AM
do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins.

I was thinking about how this vulnerability could be exploited, and that's  exactly the case

If you connect your ledge in a third party malicous software, they could steal your btc.
That's kind of serious vulnerability, sadly ledger didn't handle it well..

This one, we really don't know if they ignore monokh or just totally forgot about it. And know if is out in the crypto social media and it seems too late again reacting. Making them look very bad again.
hatshepsut93
legendary
Activity: 3038
Merit: 2162
Re: Ledger App Isolation Bypass Vulnerabilities
August 06, 2020, 02:02:38 PM
#5
First the data breach, now the disclosure of this vulnerability, that seems to have been there for more than a year. Some people would say that Ledger is a bad company, but I think other hardware wallet companies aren't immune from such issues, and in the long run they too will have their share of security failures. What we should learn from this is that there's no simple solutions that can allow users to bypass deeper learning of Bitcoin and security. Bitcoin's decentralized nature makes it have much higher security requirements than its centralized competitors.
bitmover
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Re: Ledger App Isolation Bypass Vulnerabilities
August 06, 2020, 11:23:01 AM
#4
Quote from: chronicsky on August 06, 2020, 06:43:36 AM
do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins.

I was thinking about how this vulnerability could be exploited, and that's  exactly the case

If you connect your ledge in a third party malicous software, they could steal your btc.
That's kind of serious vulnerability, sadly ledger didn't handle it well..
TryNinja
legendary
Activity: 2758
Merit: 6830
Re: Ledger App Isolation Bypass Vulnerabilities
August 06, 2020, 06:49:21 AM
#3
An update with the fix (kinda) is already available on the Ledger Live: https://twitter.com/ledger/status/1291061084435238912

There is now a warning that should make users aware of a potential issue with that.

Here is their FAQ: https://support.ledger.com/hc/en-us/articles/360015738179
chronicsky
legendary
Activity: 2828
Merit: 1222
Just looking for peace
Re: Ledger App Isolation Bypass Vulnerabilities
August 06, 2020, 06:43:36 AM
#2
https://donjon.ledger.com/lsb/014/

One should be very careful when using Hardware wallets(or any for that matter).

do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins.


Code:
Date	Action
2020-05-02	monokh sent to [email protected] a vulnerability report about app isolation bypass.
2020-05-04	Ledger’s security team acknowledged the reception and starts investigating.
2020-05-10 to 2020-05-13	monokh and the Ledger security team discussed the issue. Ledger’s security team started coordinating other Ledger teams to fix it. A disclosure date is being set to 90 days (that is, 2020-08-02).
2020-08-02	90 days deadline reached. Ledger started the test and release process for the fixed Bitcoin app.
2020-08-04	monokh published the details of the vulnerability, without informing Ledger’s security team beforehand through [email protected].
2020-08-05	Ledger updated the Bitcoin app.


So much miscommunication.
cryptomaniac_xxx
hero member
Activity: 1344
Merit: 540
Re: Ledger App Isolation Bypass Vulnerabilities
August 06, 2020, 05:26:16 AM
#1
I found this this post, https://monokh.com/posts/ledger-app-isolation-bypass.

It's about a supposedly vulnerabilities on Ledger,

Quote
The ledger device exposes bitcoin (mainnet) public key and signing functionality outside of the "Bitcoin" app. It presents misleading transaction confirmation requests indicating the selected app's addresses and amounts when in fact different transactions are being signed.

I'm not an expert or anything, but it looks like Ledger hasn't address this issues so far or it is being address right now, it looks like it's taking months for them.

On that expose, you see the Disclosure Timeline.

Quote
Disclosure Timeline
18 Jan 2019 - Privacy related aspect of the vulnerability (reading addresses) disclosed to Ledger via report and PoC. ([email protected])
Ledger: Firmware was updated but apps still need to be updated.
Prompted for public disclosure: Bug will be disclosed once apps are updated.
30 Apr 2019 - Disclosed issue unfixed - Ledger contacted for update. No response. ([email protected])
1 May 2020 - Discovered root cause expands to signing functions and can be exploited to steal funds ([email protected])
2 May 2020 - New report detailing bypassing the isolation for signing disclosed to Ledger with new report and PoC ([email protected])
4 May 2020 - Ledger investigating. ([email protected])
10 May 2020 - No response. Follow up. ([email protected])
12 May 2020 - Issue acknowledged - mistakenly at first as only privacy related - set out disclosure timeline ([email protected])
13-14 May 2020 - Exchanges with ledger clarifying severity and awareness ([email protected])
17 June 2020 - Request for update ([email protected]) - No response
28 July 2020 - Request for update sent to Ledger Donjon (Twitter DM) - No response
03 Aug 2020 - Vulnerability not fixed or disclosed by Ledger. Public disclosure

Bitcoin Forum>Bitcoin>Bitcoin Discussion
Jump to: