Pages:
Author

Topic: Ledger fake device Warning! (Read 663 times)

HCP
legendary
Activity: 2086
Merit: 4363
July 12, 2021, 05:03:14 PM
#42
But if you don't type the seed on the device, then aren't you still safe?  I mean the hack is if you download the fake ledger live, don't you still need to need to type your seed?
You can't type your seed on the device... because it doesn't work like a real ledger... it is essentially a USB thumb drive that looks like a Ledger.

The idea is that a victim plugs it in... and it opens up the folder showing the ledger.exe that they run... and then it asks for the seed. In an ideal world, the user is smart enough to remember that you should never type your hardware wallet seed into any device that is not your hardware wallet itself and they will be fine.

However, we don't live in an ideal world and given how much money the nigerian princes are still making... there is probably a non-zero chance that someone will fall for something like this and lose coins.

I mean, "EvilMe"™ was just thinking:

1. Twitter/youtube giveaway ("ReallyEvilMe"™ looks over at "games and rounds" forum)
2. Send out fake devices, but promote it as a way to "migrate your current wallet to the security of a hardware wallet"
3. Get people to input their current 12/24 word seeds from their desktop/mobile/web wallets into your fake app.
4. Profit!

I would like to think that something like that wouldn't work... but "RealisticMe"™ knows otherwise.
legendary
Activity: 2212
Merit: 7064
July 11, 2021, 07:10:22 AM
#41
You should NEVER type your seed anywhere online or on any other program, seed words are only generated and entered directly on hardware wallet device.
Doing something differently means that you are at high risk of being victim of some phishing attack scheme, either by fake device or by fake software.
legendary
Activity: 2730
Merit: 7065
July 11, 2021, 02:29:22 AM
#40
@jerry0
Check the pictures in the OP. The last two show a manual of how to configure the fake device, select the number of seed words, and then entering them in a fake software (not the real Ledger Live). Once you do that, the information is transmitted to the hackers. As you know, your seed is never supposed to be entered into a software and you shouldn't use or accept any hardware wallets from anyone that you didn't order yourself.   
full member
Activity: 1792
Merit: 186
July 10, 2021, 04:05:42 PM
#39
But if you don't type the seed on the device, then aren't you still safe?  I mean the hack is if you download the fake ledger live, don't you still need to need to type your seed?
legendary
Activity: 2212
Merit: 7064
July 10, 2021, 05:24:14 AM
#38
Which is another huge mistake. If I sent you a letter with a Bank of America letterhead (replace with the name of your bank) saying your account is being upgraded and you need to send all your money to this new account, you would be branded a fool if you fell for it. This is essentially no different to what this fake Ledger letter says.
Those fake bank email letters still exist and they existed for decades because people are still falling for scams like that.
We have similar thing in crypto with fake exchanges and web wallets, fake giveaways etc.

Follow up question: Do we know if anyone has actually fallen for it yet?
It's like you asking if there are people who fallen for other ledger phishing scams resulted from their leaks  Cheesy I am sure there are, but I don't have any proof for that.
You can see people complaining all the time on ledger reddit page how they got scammed and lost coins.
legendary
Activity: 2268
Merit: 18771
July 10, 2021, 02:17:18 AM
#37
They are following instructions, but those instructions from box are all fake.
Which is another huge mistake. If I sent you a letter with a Bank of America letterhead (replace with the name of your bank) saying your account is being upgraded and you need to send all your money to this new account, you would be branded a fool if you fell for it. This is essentially no different to what this fake Ledger letter says.

I'm not disagreeing that this isn't a flaw with Ledger devices, especially when they suggest examining the hardware to ensure authenticity (which we now know is not a guaranteed method), but you have to really not be paying attention to what is going on to actually fall for it.

Follow up question: Do we know if anyone has actually fallen for it yet?
legendary
Activity: 2730
Merit: 7065
July 10, 2021, 01:49:07 AM
#36
They are following instructions, but those instructions from box are all fake.
I can even imagine that scammers could add some link on paper that would lead customers to some phishing website.
That's correct! In the images you posted in OP, we can see one with setup instructions were the user is instructed to enter his seed phrase into the fake software. For anyone who has ever used a Ledger device, he knows that this is not the way a Ledger hardware wallet works and is set up. Those who don't pay attention or are just starting out, wouldn't notice that something is off. But that's not an excuse because if the devices were shipped to users from the original leaked database, they should already be familiar with the way the devices work.

If something like this was shipped to me, my first question would be why is Ledger sending me this without checking with me first and making sure I still live at that address? It doesn't make sense.   
legendary
Activity: 2212
Merit: 7064
July 09, 2021, 09:17:09 AM
#35
Yeah... it was basically the same as the first fake... but instead of having an extra Mass Storage module soldered onto the Ledger's mainboard, he simply replaced the chip with a generic one and then programmed it to act as the mass storage with a fake .exe etc.
Only thing you need is to know good soldering and not to make a mess with removing old and placing new chip.

And still, as with almost everything in crypto, if the user just followed the instructions then the entire attack is useless.
They are following instructions, but those instructions from box are all fake.
I can even imagine that scammers could add some link on paper that would lead customers to some phishing website.

Reading and paying attention to any single one of these, let alone all of them, would be enough to foil this attack. The more I think about it, the more I realize just how monumentally you need to mess up to fall victim to this, regardless of whether or not it is detectable that the device has been modified.
I could also say that not reading all that you mention it is very easy to trick anyone and steal crypto from them, especially if they are newbies.
legendary
Activity: 2268
Merit: 18771
July 09, 2021, 05:15:51 AM
#34
There was literally zero visible difference between his fake with the replaced chip and an authentic Ledger device Shocked
And still, as with almost everything in crypto, if the user just followed the instructions then the entire attack is useless.

There are multiple steps, quite clearly laid out in Ledger's documentation, which would stop this attack. Did you buy from an official Ledger seller? Did you connect to Ledger Live to confirm authenticity? Did you update the firmware? Did you pay attention to the warning to never enter your seed phrase anywhere but directly on your hardware wallet? Did you pay attention to the fact that nowhere in the set up guide does it mention mounting as a storage device, running software, or entering your seed phrase?

Reading and paying attention to any single one of these, let alone all of them, would be enough to foil this attack. The more I think about it, the more I realize just how monumentally you need to mess up to fall victim to this, regardless of whether or not it is detectable that the device has been modified.
HCP
legendary
Activity: 2086
Merit: 4363
July 08, 2021, 04:58:58 PM
#33
So by removing the original chip, he was able to replace it with the same type of chip that contains an unofficial firmware. If you were to plug that device into your computer and open up the official Ledger Live software, the hardware device wouldn't be able to connect to Ledger servers, download updates, or new firmware releases. That's how you could tell it's fake.

I guess it has to come hand in hand with a fake software and installation instructions that ask the victim to enter their seed into the software. You will have to make multiple mistakes and completely swerve away from everything you learned about setting up a hardware device, storing a seed, and so on.

I still think that will be enough for plenty of people to be tricked into losing their crypto assets. 
Yeah... it was basically the same as the first fake... but instead of having an extra Mass Storage module soldered onto the Ledger's mainboard, he simply replaced the chip with a generic one and then programmed it to act as the mass storage with a fake .exe etc. (in the video it was just setup to launcher a calculator, but had the name Ledger.exe and the Ledger Live logo etc.)

The only difference between this and the first fake, was that you couldn't tell that the hardware was fake by opening the device and inspecting it. There was literally zero visible difference between his fake with the replaced chip and an authentic Ledger device Shocked

So, theoretically, this is a slightly better fake than the ones already in circulation...
legendary
Activity: 2212
Merit: 7064
July 08, 2021, 05:22:21 AM
#32
And that's what I don't get... mailing some random a hardware wallet? Huh Mind you, people™ are stupid and like free stuff... so if you managed to get the details of people, say by running a fake giveaway on Telegram or Twitter etc... you could probably find a lot of people to send them to.
Exactly, Twitter giveaway would be perfect for this scheme and everyone like giveaways and free stuff even people who are not poor.
They can just inspect their profiles and choose someone manually based on their post history, or they can call people from ledger leaked list and tell them thy won new free ledger.
This process is always evolving and scammers will create even something smarter so better be alert everyone.

I still think that will be enough for plenty of people to be tricked into losing their crypto assets.  
People can easily get tricked to inject poison in their body if you tell them it's for their health and if you wear a white coat, so I am sure many people will also fall for this scheme with hardware wallets.
legendary
Activity: 2730
Merit: 7065
July 08, 2021, 04:34:48 AM
#31
So by removing the original chip, he was able to replace it with the same type of chip that contains an unofficial firmware. If you were to plug that device into your computer and open up the official Ledger Live software, the hardware device wouldn't be able to connect to Ledger servers, download updates, or new firmware releases. That's how you could tell it's fake.

I guess it has to come hand in hand with a fake software and installation instructions that ask the victim to enter their seed into the software. You will have to make multiple mistakes and completely swerve away from everything you learned about setting up a hardware device, storing a seed, and so on.

I still think that will be enough for plenty of people to be tricked into losing their crypto assets. 
HCP
legendary
Activity: 2086
Merit: 4363
July 07, 2021, 04:19:16 PM
#30
Exactly, and we can say that new people who never used hardware wallets before may be their main target.
And that's what I don't get... mailing some random a hardware wallet? Huh Mind you, people™ are stupid and like free stuff... so if you managed to get the details of people, say by running a fake giveaway on Telegram or Twitter etc... you could probably find a lot of people to send them to. Whether those people are likely to have anything worth stealing tho? Huh


They can get addresses for people who ordered Ledger when they got hacked with leaked database, but I doubt many will fall for this cheap trick.
And that's the rub isn't it... a list of people who think they have (or will have) assets worth protecting are less likely to fall for this... whereas ones who have never used a hardware wallet will likely fall for it more easily, but are less likely to have assets worth a lot.

Ultimately, it's an interesting story... but I don't anticipate it being a "huge" problem (like phishing websites and fake software downloads etc)
legendary
Activity: 2212
Merit: 7064
July 07, 2021, 11:45:50 AM
#29
Interesting... It's basically the equivalent of mailing someone a phishing website.
Exactly, and we can say that new people who never used hardware wallets before may be their main target.
They can get addresses for people who ordered Ledger when they got hacked with leaked database, but I doubt many will fall for this cheap trick.

You have to wonder what the capital investment is here... $60+shipping for each device, probably not more than a few dollars for the replacement chips, then the postage to send them out. All in the hope that people are going to give you their 24 word seed.
They can make cheap 3d printing cases with packaging and get cheap chinese drives, so shipping would probably be most expensive for them.

Still, if you sent out 500 units, I guess you only really need 1 person with 1+ BTC to fall for this to make some money.
Scammers earned more money from bitcoin youtube scam giveaways, because people are not using their brain as much as they should, so this scheme would also pay off.
HCP
legendary
Activity: 2086
Merit: 4363
July 06, 2021, 04:44:04 PM
#28
Interesting... It's basically the equivalent of mailing someone a phishing website.

You have to wonder what the capital investment is here... $60+shipping for each device, probably not more than a few dollars for the replacement chips, then the postage to send them out. All in the hope that people are going to give you their 24 word seed.

Still, if you sent out 500 units, I guess you only really need 1 person with 1+ BTC to fall for this to make some money.
legendary
Activity: 2268
Merit: 18771
July 06, 2021, 05:43:10 AM
#27
Here is one more easy way to create identical clone of Legder wallet with simply replacing the main stm32 chip and creating malicious Ledger with small implant.
He also says in the video he can exploit a vulnerability in the native STM32 chip using ChipWhisperer to turn it in to a mass storage device, although he doesn't show this. But he does show simple replacement of the STM32 chip, and the hardware wallet then behaving as a mass storage device despite looking physically identical. So as you say, physical inspection of the device is no longer a reliable method to rule out maliciousness.

Ledger obviously those not consider this to be vulnerability, and they only care about secure element, but this is easy method to trick anyone with fake instructions.
I'm not sure which side of the fence I fall on here. Obviously it is a significant weakness that a device can be imperceptibly modified to behave in such a way. However, such an attack also does nothing to the secure element and requires significant naivety and mistakes on behalf of the user along with significant deviation from all of Ledger's instructions and guide available on paper and their website to actually be successful. It's kind of similar to the malicious Electrum hack prior to 3.3.4. The vulnerability itself (showing an arbitrary message/mounting as a mass storage device) cannot steal anybody's coins unless they also do a lot of very stupid things (download and fail to verify unknown software/launch unknown software and type their seed phrase in to it).
legendary
Activity: 2212
Merit: 7064
July 06, 2021, 04:58:04 AM
#26
Here is one more easy way to create identical clone of Legder wallet with simply replacing the main stm32 chip and creating malicious Ledger with small implant.
This was done by @_MG_ and there are no visible hardware changes, so opening your Ledger wallet case you would not be able to notice that it iis malicious.
Ledger obviously those not consider this to be vulnerability, and they only care about secure element, but this is easy method to trick anyone with fake instructions.
Unrelated with that, I think that all hardware wallets manufacturers will have some problems in near future because it's now very hard to find any chips on the market, due to shortage.


https://youtu.be/oARxLV_vnh0
legendary
Activity: 2268
Merit: 18771
June 26, 2021, 07:43:32 AM
#25
I will not use any hardware wallet that was send from some unknown origin and something that I did not request or paid for.
This should extend to all computer hardware and devices. You often see stories of people saying "I found this USB drive/SD card/digital camera/CD labelled "vacation photos" etc., so I plugged it in to my computer to see if I could figure out whom it belonged to and return it to them." Terrible idea, and you open yourself up to attack by all kinds of malware by doing so. It's for the same reason you shouldn't use public charging points for your phone, as again, you have no idea if it is a simple charging point or if there is actually malware inside the USB cable or the adapter waiting to transfer to your device as soon as you connect. Use your own battery packs instead, or buy or make your own USB cable with the data pins removed so it can only transfer power and nothing else.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
June 26, 2021, 07:23:28 AM
#24
Holy smoke... these attackers are really going out of their way to scam people. Normally an attackers will not spend money to receive money, but these people obviously spend a lot of money to send these "fake" hardware wallets out to people.  Roll Eyes

OP, thank you for this information... I will not use any hardware wallet that was send from some unknown origin and something that I did not request or paid for. ( I have several hardware wallets, but I seldom store large amounts on any of them.. my safest wallet is still my Paper wallets)  Wink
legendary
Activity: 2268
Merit: 18771
June 26, 2021, 04:04:04 AM
#23
Don't forget USBHarpoon either. USBHarpoon - a charging cable that can hack your computer. 

It works as a normal data transfer and charging cable, but once connected, it's able to download malware and execute various commands.
Yes, it's a more blunt version of the USBNinja which I linked to above.

The USBHarpoon has a predetermined payload on the chip which is then hidden inside a USB cable. When the USB cable is attacked, the computer recognizes is as an input device such as a keyboard, allowing the payload to send arbitrary commands to the computer such as to open a web browser, navigate to a specific site, and then download and run some malware.

The USBNinja is the next step up. It works along the same lines, but the chip inside the USB can be wiped and have a new or different payload uploaded on to it, and rather than triggering automatically as soon as the cable is attached, it can be triggered at any time by the attacker broadcasting a wireless signal. This allows them to time their attack for when the cable is attached but you are not physically at your computer, so you don't notice any of things that are happening and cannot intervene to stop them.
Pages:
Jump to: