Pages:
Author

Topic: Ledger fake device Warning! - page 2. (Read 575 times)

legendary
Activity: 2716
Merit: 7007
Farewell, Leo. You will be missed!
June 26, 2021, 04:55:53 AM
#22
Don't forget USBHarpoon either. USBHarpoon - a charging cable that can hack your computer. 

It works as a normal data transfer and charging cable, but once connected, it's able to download malware and execute various commands. The thing works on MAC and Windows, as well as on mobile phones and even drones (as shown on the video in the source link). Scary stuff.
HCP
legendary
Activity: 2086
Merit: 4314
June 25, 2021, 05:21:01 PM
#21
I am not saying that device is fake for sure, but he did receive two Ledger wallets after ordering just one.
I didn't say you did... I was merely pointing out that further posts in that reddit thread would indicate that the user simply received 2 "OG" devices.


Can you explain how that mistake is possible after he ordered it directly from ledger?
Probably the same way my wife once received an airfryer, that she never ordered, along with her actual order of discount comestics. People make mistakes.

Hell, I've received the "same" order twice before from various companies... granted it wasn't from Ledger, but it's certainly not unheard of.

legendary
Activity: 2128
Merit: 6871
June 25, 2021, 08:07:17 AM
#20
...
I am not saying that device is fake for sure, but he did receive two Ledger wallets after ordering just one.
Can you explain how that mistake is possible after he ordered it directly from ledger?
HCP
legendary
Activity: 2086
Merit: 4314
June 25, 2021, 02:04:36 AM
#19
Here is one more guy who claims that he ordered one Ledger Nano X and received two in his package, and one of them looks like it's fake according to photo he posted on reddit.
If this is true that means that Ledger is still leaking some information or they have some dirty insider who is selling customer information.


https://www.reddit.com/r/ledgerwallet/comments/o22p55/is_this_nano_x_pcb_genuine_seen_some_reports/


It doesn't appear to be true... The photo of the backside of the users PCB looks clean:



versus one of the tampered ones with extra component and soldering etc:




And they got it in the "normal" Ledger packaging... not the (very convincing) "fake" packaging and no associated letter etc.
No. Everything came as expected packaging wise. After looking into this, it appears to me that the units pictured as fake are actually genuine micro controller units from ledger that have been implanted with a flash drive that contains a fake ledger live application.

So although mine does match the image of the fake device, it doesn’t have any signs of tampering or additional chipsets so I think I’m all good. Appreciate everyone’s help on this.
legendary
Activity: 2268
Merit: 18492
June 24, 2021, 01:54:49 PM
#18
For real? Shocked
I have a number of USB drives which are barely bigger than the USB port themselves - something along the lines of https://i.imgur.com/9I5cRca.jpg - and yet have storage of 128 GB. You can imagine that it would be easy enough to fit a chip with only a couple of megabytes of storage inside the hub of a USB cable, which is more than enough to store some malware which will self-execute as soon as you connect the cable.

The original malicious cable was known as BadUSB. You can see a GitHub page exploring the concept here - https://github.com/joelsernamoreno/BadUSB-Cable - along with pictures of USB cables being modified to hide the malicious chips inside.

The most recent project I've seen working on this is USBNinja - https://usbninja.com/. Not only will it hide a malicious payload inside a USB cable, but it also hides wireless connectivity hardware which allows an attacker to communicate with the cable and trigger it remotely at a time of their choosing. The payload can be completely customized, to do anything from installing clipboard malware to trying to extract passwords or seed phrases.
legendary
Activity: 2940
Merit: 3368
Crypto Swap Exchange
June 24, 2021, 09:42:04 AM
#17
Probably USB implants can also be smaller. And if needed other parts may get removed to basically keep only the USB functionality. I feel like the "design flaw" is not that big.
Even if their design was better, it's hard to prevent this attacks from happening, I could 3d print ledger case and make my own fake version with some cheap flash drive and send it to many victims of their database leak(s).
Thank you guys for the inputs, it appears that somehow I forgot to consider those things.

I've never noticed my Nano S running hot, so I don't know if temperature was such a concern.
Perhaps I should've been clearer [sorry] but I wasn't reporting any issues with the temps [I thought it might have something to do with the additional/unused small space on the device in question].

or add some self destruction mechanism that would destroy the device if someone opens it,
That'll be a cool feature and there are already a few hardware wallets out there that either came with that feature or later got it [to an extent] as part of an update.

You can get chips which are small enough to hide inside a USB cable, and turn the cable itself in to malicious device.
For real? Shocked
- Just did some digging and the only one that I could find with some explanations was "this" one but even then, there are still conflicting parts.
legendary
Activity: 2268
Merit: 18492
June 23, 2021, 06:16:22 PM
#16
Probably USB implants can also be smaller.
Absolutely. You can get chips which are small enough to hide inside a USB cable, and turn the cable itself in to malicious device. That could very well be the next attack vector: Send out real Ledger devices which are untampered with and so will pass all the physical and electronic checks, while hiding some seed stealing software or similar inside the USB cable. For all the people who have opened up their hardware wallets to check the hardware inside, has anyone ever opened up the USB cable?
legendary
Activity: 2128
Merit: 6871
June 23, 2021, 05:59:54 AM
#15
Interesting video and personally, I have nothing against Ledger but this looks like a design flaw, am I right? I think this could've been prevented
Sure, they could probably seal the case, add epoxy like Coldcard and Bitbox is doing, or add some self destruction mechanism that would destroy the device if someone opens it,
but no Ledger likes to focus on adding more and more useless altcoins Smiley
Even if their design was better, it's hard to prevent this attacks from happening, I could 3d print ledger case and make my own fake version with some cheap flash drive and send it to many victims of their database leak(s).
legendary
Activity: 3500
Merit: 6205
Farewell LEO, you *will* be missed.
June 23, 2021, 04:01:57 AM
#14
Interesting video and personally, I have nothing against Ledger but this looks like a design flaw, am I right? I think this could've been prevented [regardless of the data breach] if there was no room [more compact] for an additional component...
- If the temperature of the device is going to be a concern, then they should probably come up with a new design.

Probably USB implants can also be smaller. And if needed other parts may get removed to basically keep only the USB functionality. I feel like the "design flaw" is not that big.
I've never noticed my Nano S running hot, so I don't know if temperature was such a concern. I think that they just found the standard USB stick size just fine.
legendary
Activity: 2940
Merit: 3368
Crypto Swap Exchange
June 23, 2021, 03:44:25 AM
#13
Here is Kraken Security Labs video doing their own modification for Ledger Nano X wallet:
https://www.youtube.com/watch?v=T-dZ3nTNrm4
Interesting video and personally, I have nothing against Ledger but this looks like a design flaw, am I right? I think this could've been prevented [regardless of the data breach] if there was no room [more compact] for an additional component...
- If the temperature of the device is going to be a concern, then they should probably come up with a new design.
legendary
Activity: 2128
Merit: 6871
June 22, 2021, 12:08:23 PM
#12
Kraken Security Labs team has rebuilt this attack to show how it works, using new Ledger Nano X and small USB-stick implant they later connected to the original board.
They also did some ''improvements'' unlike attackers that removed oscillator component, Kraken Labs left this compnent and Ledger was connecting like normal wallet with bluetooth.
USB stick was placed below display and from outside you could not recognize that anything is wrong with this device, until you connect it to computer and see it is USB stick.
Opening fake app would show windows for entering seed words that would later be sent to attackers.


https://blog.kraken.com/post/9659/alert-modified-hardware-wallets-spotted-in-the-wild/

Here is Kraken Security Labs video doing their own modification for Ledger Nano X wallet:
https://www.youtube.com/watch?v=T-dZ3nTNrm4
legendary
Activity: 2268
Merit: 18492
June 19, 2021, 08:58:44 AM
#11
I don't understand what next firmware update has to do with trusting the wallet, because closed source can't be verified anyway and you don't know what is happening under the hood.
It means that you "only" have to trust Ledger, since by updating the firmware you are also verifying the integrity of the hardware inside the device and that it has not been tampered with. Sure, this isn't as good as an open source wallet which requires zero trust, but it is far superior to trusting everyone in the supply chain, everyone in the delivery chain, or that your wallet never even came from Ledger in the first place.

Regarding malicious software on the tampered device - nowadays every child knows how to disable USB autorun, so I didn't stress this.
I agree with dkbit98 here - that just isn't true. You or I know how to disable USB autorun, sure, but I would wager that the majority of PC users around the world don't even know what USB autorun is, let alone how to disable it. Further, there is plenty of USB based malware which does not require autorun to be enabled. Malware like Rubber Ducky and Bash Bunny will emulate a trusted device such as a mouse or keyboard to send keystrokes to your computer which can do anything from steal your passwords to encrypt your hard drive.
legendary
Activity: 2128
Merit: 6871
June 19, 2021, 06:17:28 AM
#10
My point was that even officially bought wallets must be suspected and not be used until the next firmware update.
I don't understand what next firmware update has to do with trusting the wallet, because closed source can't be verified anyway and you don't know what is happening under the hood.

Regarding malicious software on the tampered device - nowadays every child knows how to disable USB autorun, so I didn't stress this. Just in case, make backup image (say with  Macrium Reflect)  of your pristine OS to restore it after each and every use of suspected USB.
If every child knows to do disable USB (that is not true btw) than there would be no more cases of people getting scammed in most stupid way possible.
In case of this fake Ledger device there was no autorun, but instructions would guide you to install their exe file and import your old seed words that would later be sent and stolen by attackers.
Obviously many people are not using their brain at all and they fall for this all the time, and world we live in today is just another proof of that.

legendary
Activity: 2716
Merit: 7007
Farewell, Leo. You will be missed!
June 18, 2021, 03:39:41 AM
#9
Although, I prefer Trezor which is completely open source, but this data breach can happen to any company that are collecting buyer's data on their database, this should make us careful of the information we are given out.
A 100% open source hardware wallet is preferable, but for the purpose of this kind of attack where you are sent a fake device, it doesn't matter at all. It would be even easier to introduce a vulnerability and backdoor in a code that is public to anyone if the malicious parties know what they are doing.

The oldest rules still apply: No one is going to give you free money or in this case free hardware wallets. If Ledger intended to do something like that, there would certainly be a marketing campaign beforehand. You don't just ship something to a customer hoping he is still there. You check to see if he still lives at that address, is he even still alive, available, and interested in receiving a free gift. 

A lot of thought was put into this scam campaign, and I am afraid it will have great results for the dark side.     
legendary
Activity: 3500
Merit: 6205
Farewell LEO, you *will* be missed.
June 18, 2021, 02:45:58 AM
#8
I am worried that fake devices are sent from France, like we can see on first fake package, and that could mean that someone who works in Ledger is still leaking customer information.

Wow, they did take care to the details...
And about the idea about the employee... I guess that many have checked if and what information about them has leaked at the hack. If their address was not leaked, but they still received this "replacement"... then we'll know. Some will surely tell.
legendary
Activity: 1498
Merit: 4776
June 17, 2021, 05:38:51 PM
#7
Scammers are playing on card of device replacement, but I am worried that fake devices are sent from France, like we can see on first fake package, and that could mean that someone who works in Ledger is still leaking customer information.
This is one of the reasons it is not good to provide kyc on many of the sites. I have a sister, she has antivirus on her phone, and she is security conscious, one day was a debit alert of huge amount of money from her bank account. Although, the bank has given her back the money, but who was able to get through her account and stole such huge amount without any message of OTP from the bank aside debit alert, it is clear that the attacker is working in the bank.

Also are many cases of sim swap which occur without no two reasons at times but just because there are insiders working with service provider as employee but yet also working for attackers to make many sim swap to be successful.

I do not know if this also applies to Ledger Nano, but I am pretty sure that giving out personal data which is stored on a database is extremely dangerous, it will be very easy for the data to be stolen by some workers working in the company which is used against the users.
legendary
Activity: 2128
Merit: 6871
June 17, 2021, 01:49:35 PM
#6
Here is one more guy who claims that he ordered one Ledger Nano X and received two in his package, and one of them looks like it's fake according to photo he posted on reddit.
If this is true that means that Ledger is still leaking some information or they have some dirty insider who is selling customer information.


https://www.reddit.com/r/ledgerwallet/comments/o22p55/is_this_nano_x_pcb_genuine_seen_some_reports/

I'm impressed by the ingenuity of these guys, it's quite an elaborate scam and it's probably not cheap to pull it off, but I think that unfortunately some will fall for it  Angry so get ready for a new bunch of unhappy customers which will probably end up here  Angry
Yeah, I realized in 2020 and 2021 that people are generally very naive and they would accept even a free snake as a gift if you tell them it's an egg that is good for them.
Scammers are playing on card of device replacement, but I am worried that fake devices are sent from France, like we can see on first fake package, and that could mean that someone who works in Ledger is still leaking customer information.


legendary
Activity: 3500
Merit: 6205
Farewell LEO, you *will* be missed.
June 17, 2021, 11:52:40 AM
#5
It'd be a nice kinda-sorta "collectible" and a piece of crypto's history to look back at years down the road.

I agree to this. Although a rather dangerous collectible, it would be interesting to have.
(Un?)Luckily only my email has leaked out, no shipping address.


BEWARE that anyone who ordered ledger wallet before and got his address leaked is in danger of receiving one of this fake devices.

I'm impressed by the ingenuity of these guys, it's quite an elaborate scam and it's probably not cheap to pull it off, but I think that unfortunately some will fall for it  Angry so get ready for a new bunch of unhappy customers which will probably end up here  Angry

Thanks for the heads up, OP.
legendary
Activity: 3234
Merit: 6706
Proudly Cycling Merits for Foxpup
June 17, 2021, 11:46:03 AM
#4
OP, thanks for posting this.  When I downloaded the latest update (the one that was only available on Ledger's own site), I saw multiple warnings about scammers so I suspected something was up.

Hopefully I won't receive one of these fakes--but part of me thinks it'd be neat if I did, since there's no way in hell I'd plug it into my computer.  It'd be a nice kinda-sorta "collectible" and a piece of crypto's history to look back at years down the road.  There are some people who collect counterfeit coins (I'm talking metal coins here), since they have historical value if nothing else.

Aside from that, this is a great warning to anyone reading who might have been fooled by a new Ledger arriving in the mail.  Doubtless some people wouldn't think twice about ripping it open and trying to use it right away.  You'd think anyone with a substantial amount of crypto wouldn't fall for such a scam, but you never know.  Anyone is a potential victim if they don't know better.
legendary
Activity: 2268
Merit: 18492
June 17, 2021, 08:56:25 AM
#3
By and large,  being flashed with new firmware, Ledger can be considered to be safe device. If upgrading fails you might suspect that the wallet was  either counterfeited or tampered.
If you think that the device in your hands is malicious, then the last thing you want to do is plug it in to your main computer to attempt to update the firmware. Doing so allows any malicious software on the tampered device to infect your computer, never mind showing you fake prompts asking for your seed phrase.

If you think the device has been tampered with, you should open it to compare the look of the hardware within by following Ledger's guide here: https://support.ledger.com/hc/en-us/articles/360019352834-Check-hardware-integrity

If you want to plug it in to a computer, plug it in to a live OS, preferably on a secondary computer which you don't use for anything important.
Pages:
Jump to: