Topic: Ledger fake device Warning! (Read 673 times)

You can't type your seed on the device... because it doesn't work like a real ledger... it is essentially a USB thumb drive that looks like a Ledger.

The idea is that a victim plugs it in... and it opens up the folder showing the ledger.exe that they run... and then it asks for the seed. In an ideal world, the user is smart enough to remember that you should never type your hardware wallet seed into any device that is not your hardware wallet itself and they will be fine.

However, we don't live in an ideal world and given how much money the nigerian princes are still making... there is probably a non-zero chance that someone will fall for something like this and lose coins.

I mean, "EvilMe"™ was just thinking:

1. Twitter/youtube giveaway ("ReallyEvilMe"™ looks over at "games and rounds" forum)
2. Send out fake devices, but promote it as a way to "migrate your current wallet to the security of a hardware wallet"
3. Get people to input their current 12/24 word seeds from their desktop/mobile/web wallets into your fake app.
4. Profit!

I would like to think that something like that wouldn't work... but "RealisticMe"™ knows otherwise.

You should NEVER type your seed anywhere online or on any other program, seed words are only generated and entered directly on hardware wallet device.
Doing something differently means that you are at high risk of being victim of some phishing attack scheme, either by fake device or by fake software.

@jerry0
Check the pictures in the OP. The last two show a manual of how to configure the fake device, select the number of seed words, and then entering them in a fake software (not the real Ledger Live). Once you do that, the information is transmitted to the hackers. As you know, your seed is never supposed to be entered into a software and you shouldn't use or accept any hardware wallets from anyone that you didn't order yourself.   

But if you don't type the seed on the device, then aren't you still safe?  I mean the hack is if you download the fake ledger live, don't you still need to need to type your seed?

Those fake bank email letters still exist and they existed for decades because people are still falling for scams like that.
We have similar thing in crypto with fake exchanges and web wallets, fake giveaways etc.

It's like you asking if there are people who fallen for other ledger phishing scams resulted from their leaks  I am sure there are, but I don't have any proof for that.
You can see people complaining all the time on ledger reddit page how they got scammed and lost coins.

Which is another huge mistake. If I sent you a letter with a Bank of America letterhead (replace with the name of your bank) saying your account is being upgraded and you need to send all your money to this new account, you would be branded a fool if you fell for it. This is essentially no different to what this fake Ledger letter says.

I'm not disagreeing that this isn't a flaw with Ledger devices, especially when they suggest examining the hardware to ensure authenticity (which we now know is not a guaranteed method), but you have to really not be paying attention to what is going on to actually fall for it.

Follow up question: Do we know if anyone has actually fallen for it yet?

That's correct! In the images you posted in OP, we can see one with setup instructions were the user is instructed to enter his seed phrase into the fake software. For anyone who has ever used a Ledger device, he knows that this is not the way a Ledger hardware wallet works and is set up. Those who don't pay attention or are just starting out, wouldn't notice that something is off. But that's not an excuse because if the devices were shipped to users from the original leaked database, they should already be familiar with the way the devices work.

If something like this was shipped to me, my first question would be why is Ledger sending me this without checking with me first and making sure I still live at that address? It doesn't make sense.   

Only thing you need is to know good soldering and not to make a mess with removing old and placing new chip.

They are following instructions, but those instructions from box are all fake.
I can even imagine that scammers could add some link on paper that would lead customers to some phishing website.

I could also say that not reading all that you mention it is very easy to trick anyone and steal crypto from them, especially if they are newbies.

And still, as with almost everything in crypto, if the user just followed the instructions then the entire attack is useless.

There are multiple steps, quite clearly laid out in Ledger's documentation, which would stop this attack. Did you buy from an official Ledger seller? Did you connect to Ledger Live to confirm authenticity? Did you update the firmware? Did you pay attention to the warning to never enter your seed phrase anywhere but directly on your hardware wallet? Did you pay attention to the fact that nowhere in the set up guide does it mention mounting as a storage device, running software, or entering your seed phrase?

Reading and paying attention to any single one of these, let alone all of them, would be enough to foil this attack. The more I think about it, the more I realize just how monumentally you need to mess up to fall victim to this, regardless of whether or not it is detectable that the device has been modified.

Yeah... it was basically the same as the first fake... but instead of having an extra Mass Storage module soldered onto the Ledger's mainboard, he simply replaced the chip with a generic one and then programmed it to act as the mass storage with a fake .exe etc. (in the video it was just setup to launcher a calculator, but had the name Ledger.exe and the Ledger Live logo etc.)

The only difference between this and the first fake, was that you couldn't tell that the hardware was fake by opening the device and inspecting it. There was literally zero visible difference between his fake with the replaced chip and an authentic Ledger device

So, theoretically, this is a slightly better fake than the ones already in circulation...

Exactly, Twitter giveaway would be perfect for this scheme and everyone like giveaways and free stuff even people who are not poor.
They can just inspect their profiles and choose someone manually based on their post history, or they can call people from ledger leaked list and tell them thy won new free ledger.
This process is always evolving and scammers will create even something smarter so better be alert everyone.

People can easily get tricked to inject poison in their body if you tell them it's for their health and if you wear a white coat, so I am sure many people will also fall for this scheme with hardware wallets.

So by removing the original chip, he was able to replace it with the same type of chip that contains an unofficial firmware. If you were to plug that device into your computer and open up the official Ledger Live software, the hardware device wouldn't be able to connect to Ledger servers, download updates, or new firmware releases. That's how you could tell it's fake.

I guess it has to come hand in hand with a fake software and installation instructions that ask the victim to enter their seed into the software. You will have to make multiple mistakes and completely swerve away from everything you learned about setting up a hardware device, storing a seed, and so on.

I still think that will be enough for plenty of people to be tricked into losing their crypto assets. 

And that's what I don't get... mailing some random a hardware wallet? Mind you, people™ are stupid and like free stuff... so if you managed to get the details of people, say by running a fake giveaway on Telegram or Twitter etc... you could probably find a lot of people to send them to. Whether those people are likely to have anything worth stealing tho?


And that's the rub isn't it... a list of people who think they have (or will have) assets worth protecting are less likely to fall for this... whereas ones who have never used a hardware wallet will likely fall for it more easily, but are less likely to have assets worth a lot.

Ultimately, it's an interesting story... but I don't anticipate it being a "huge" problem (like phishing websites and fake software downloads etc)

Exactly, and we can say that new people who never used hardware wallets before may be their main target.
They can get addresses for people who ordered Ledger when they got hacked with leaked database, but I doubt many will fall for this cheap trick.

They can make cheap 3d printing cases with packaging and get cheap chinese drives, so shipping would probably be most expensive for them.

Scammers earned more money from bitcoin youtube scam giveaways, because people are not using their brain as much as they should, so this scheme would also pay off.

Interesting... It's basically the equivalent of mailing someone a phishing website.

You have to wonder what the capital investment is here... $60+shipping for each device, probably not more than a few dollars for the replacement chips, then the postage to send them out. All in the hope that people are going to give you their 24 word seed.

Still, if you sent out 500 units, I guess you only really need 1 person with 1+ BTC to fall for this to make some money.

He also says in the video he can exploit a vulnerability in the native STM32 chip using ChipWhisperer to turn it in to a mass storage device, although he doesn't show this. But he does show simple replacement of the STM32 chip, and the hardware wallet then behaving as a mass storage device despite looking physically identical. So as you say, physical inspection of the device is no longer a reliable method to rule out maliciousness.

I'm not sure which side of the fence I fall on here. Obviously it is a significant weakness that a device can be imperceptibly modified to behave in such a way. However, such an attack also does nothing to the secure element and requires significant naivety and mistakes on behalf of the user along with significant deviation from all of Ledger's instructions and guide available on paper and their website to actually be successful. It's kind of similar to the malicious Electrum hack prior to 3.3.4. The vulnerability itself (showing an arbitrary message/mounting as a mass storage device) cannot steal anybody's coins unless they also do a lot of very stupid things (download and fail to verify unknown software/launch unknown software and type their seed phrase in to it).

Here is one more easy way to create identical clone of Legder wallet with simply replacing the main stm32 chip and creating malicious Ledger with small implant.
This was done by @_MG_ and there are no visible hardware changes, so opening your Ledger wallet case you would not be able to notice that it iis malicious.
Ledger obviously those not consider this to be vulnerability, and they only care about secure element, but this is easy method to trick anyone with fake instructions.
Unrelated with that, I think that all hardware wallets manufacturers will have some problems in near future because it's now very hard to find any chips on the market, due to shortage.


https://youtu.be/oARxLV_vnh0

This should extend to all computer hardware and devices. You often see stories of people saying "I found this USB drive/SD card/digital camera/CD labelled "vacation photos" etc., so I plugged it in to my computer to see if I could figure out whom it belonged to and return it to them." Terrible idea, and you open yourself up to attack by all kinds of malware by doing so. It's for the same reason you shouldn't use public charging points for your phone, as again, you have no idea if it is a simple charging point or if there is actually malware inside the USB cable or the adapter waiting to transfer to your device as soon as you connect. Use your own battery packs instead, or buy or make your own USB cable with the data pins removed so it can only transfer power and nothing else.

Holy smoke... these attackers are really going out of their way to scam people. Normally an attackers will not spend money to receive money, but these people obviously spend a lot of money to send these "fake" hardware wallets out to people. 

OP, thank you for this information... I will not use any hardware wallet that was send from some unknown origin and something that I did not request or paid for. ( I have several hardware wallets, but I seldom store large amounts on any of them.. my safest wallet is still my Paper wallets) 

Yes, it's a more blunt version of the USBNinja which I linked to above.

The USBHarpoon has a predetermined payload on the chip which is then hidden inside a USB cable. When the USB cable is attacked, the computer recognizes is as an input device such as a keyboard, allowing the payload to send arbitrary commands to the computer such as to open a web browser, navigate to a specific site, and then download and run some malware.

The USBNinja is the next step up. It works along the same lines, but the chip inside the USB can be wiped and have a new or different payload uploaded on to it, and rather than triggering automatically as soon as the cable is attached, it can be triggered at any time by the attacker broadcasting a wireless signal. This allows them to time their attack for when the cable is attached but you are not physically at your computer, so you don't notice any of things that are happening and cannot intervene to stop them.

Don't forget USBHarpoon either. USBHarpoon - a charging cable that can hack your computer. 

It works as a normal data transfer and charging cable, but once connected, it's able to download malware and execute various commands. The thing works on MAC and Windows, as well as on mobile phones and even drones (as shown on the video in the source link). Scary stuff.

I didn't say you did... I was merely pointing out that further posts in that reddit thread would indicate that the user simply received 2 "OG" devices.


Probably the same way my wife once received an airfryer, that she never ordered, along with her actual order of discount comestics. People make mistakes.

Hell, I've received the "same" order twice before from various companies... granted it wasn't from Ledger, but it's certainly not unheard of.

I am not saying that device is fake for sure, but he did receive two Ledger wallets after ordering just one.
Can you explain how that mistake is possible after he ordered it directly from ledger?

It doesn't appear to be true... The photo of the backside of the users PCB looks clean:



versus one of the tampered ones with extra component and soldering etc:




And they got it in the "normal" Ledger packaging... not the (very convincing) "fake" packaging and no associated letter etc.

I have a number of USB drives which are barely bigger than the USB port themselves - something along the lines of https://i.imgur.com/9I5cRca.jpg - and yet have storage of 128 GB. You can imagine that it would be easy enough to fit a chip with only a couple of megabytes of storage inside the hub of a USB cable, which is more than enough to store some malware which will self-execute as soon as you connect the cable.

The original malicious cable was known as BadUSB. You can see a GitHub page exploring the concept here - https://github.com/joelsernamoreno/BadUSB-Cable - along with pictures of USB cables being modified to hide the malicious chips inside.

The most recent project I've seen working on this is USBNinja - https://usbninja.com/. Not only will it hide a malicious payload inside a USB cable, but it also hides wireless connectivity hardware which allows an attacker to communicate with the cable and trigger it remotely at a time of their choosing. The payload can be completely customized, to do anything from installing clipboard malware to trying to extract passwords or seed phrases.

Thank you guys for the inputs, it appears that somehow I forgot to consider those things.

Perhaps I should've been clearer ^[sorry] but I wasn't reporting any issues with the temps ^{[I thought it might have something to do with the additional/unused small space on the device in question]}.

That'll be a cool feature and there are already a few hardware wallets out there that either came with that feature or later got it ^{[to an extent]} as part of an update.

For real?
^{- Just did some digging and the only one that I could find with some explanations was "this" one but even then, there are still conflicting parts.}

Absolutely. You can get chips which are small enough to hide inside a USB cable, and turn the cable itself in to malicious device. That could very well be the next attack vector: Send out real Ledger devices which are untampered with and so will pass all the physical and electronic checks, while hiding some seed stealing software or similar inside the USB cable. For all the people who have opened up their hardware wallets to check the hardware inside, has anyone ever opened up the USB cable?

Sure, they could probably seal the case, add epoxy like Coldcard and Bitbox is doing, or add some self destruction mechanism that would destroy the device if someone opens it,
but no Ledger likes to focus on adding more and more useless altcoins
Even if their design was better, it's hard to prevent this attacks from happening, I could 3d print ledger case and make my own fake version with some cheap flash drive and send it to many victims of their database leak(s).

Probably USB implants can also be smaller. And if needed other parts may get removed to basically keep only the USB functionality. I feel like the "design flaw" is not that big.
I've never noticed my Nano S running hot, so I don't know if temperature was such a concern. I think that they just found the standard USB stick size just fine.

Interesting video and personally, I have nothing against Ledger but this looks like a design flaw, am I right? I think this could've been prevented ^{[regardless of the data breach]} if there was no room ^{[more compact]} for an additional component...
^{- If the temperature of the device is going to be a concern, then they should probably come up with a new design.}

Kraken Security Labs team has rebuilt this attack to show how it works, using new Ledger Nano X and small USB-stick implant they later connected to the original board.
They also did some ''improvements'' unlike attackers that removed oscillator component, Kraken Labs left this compnent and Ledger was connecting like normal wallet with bluetooth.
USB stick was placed below display and from outside you could not recognize that anything is wrong with this device, until you connect it to computer and see it is USB stick.
Opening fake app would show windows for entering seed words that would later be sent to attackers.


https://blog.kraken.com/post/9659/alert-modified-hardware-wallets-spotted-in-the-wild/

Here is Kraken Security Labs video doing their own modification for Ledger Nano X wallet:
https://www.youtube.com/watch?v=T-dZ3nTNrm4

It means that you "only" have to trust Ledger, since by updating the firmware you are also verifying the integrity of the hardware inside the device and that it has not been tampered with. Sure, this isn't as good as an open source wallet which requires zero trust, but it is far superior to trusting everyone in the supply chain, everyone in the delivery chain, or that your wallet never even came from Ledger in the first place.

I agree with dkbit98 here - that just isn't true. You or I know how to disable USB autorun, sure, but I would wager that the majority of PC users around the world don't even know what USB autorun is, let alone how to disable it. Further, there is plenty of USB based malware which does not require autorun to be enabled. Malware like Rubber Ducky and Bash Bunny will emulate a trusted device such as a mouse or keyboard to send keystrokes to your computer which can do anything from steal your passwords to encrypt your hard drive.

I don't understand what next firmware update has to do with trusting the wallet, because closed source can't be verified anyway and you don't know what is happening under the hood.

If every child knows to do disable USB (that is not true btw) than there would be no more cases of people getting scammed in most stupid way possible.
In case of this fake Ledger device there was no autorun, but instructions would guide you to install their exe file and import your old seed words that would later be sent and stolen by attackers.
Obviously many people are not using their brain at all and they fall for this all the time, and world we live in today is just another proof of that.

A 100% open source hardware wallet is preferable, but for the purpose of this kind of attack where you are sent a fake device, it doesn't matter at all. It would be even easier to introduce a vulnerability and backdoor in a code that is public to anyone if the malicious parties know what they are doing.

The oldest rules still apply: No one is going to give you free money or in this case free hardware wallets. If Ledger intended to do something like that, there would certainly be a marketing campaign beforehand. You don't just ship something to a customer hoping he is still there. You check to see if he still lives at that address, is he even still alive, available, and interested in receiving a free gift. 

A lot of thought was put into this scam campaign, and I am afraid it will have great results for the dark side.     

Wow, they did take care to the details...
And about the idea about the employee... I guess that many have checked if and what information about them has leaked at the hack. If their address was not leaked, but they still received this "replacement"... then we'll know. Some will surely tell.

This is one of the reasons it is not good to provide kyc on many of the sites. I have a sister, she has antivirus on her phone, and she is security conscious, one day was a debit alert of huge amount of money from her bank account. Although, the bank has given her back the money, but who was able to get through her account and stole such huge amount without any message of OTP from the bank aside debit alert, it is clear that the attacker is working in the bank.

Also are many cases of sim swap which occur without no two reasons at times but just because there are insiders working with service provider as employee but yet also working for attackers to make many sim swap to be successful.

I do not know if this also applies to Ledger Nano, but I am pretty sure that giving out personal data which is stored on a database is extremely dangerous, it will be very easy for the data to be stolen by some workers working in the company which is used against the users.

Here is one more guy who claims that he ordered one Ledger Nano X and received two in his package, and one of them looks like it's fake according to photo he posted on reddit.
If this is true that means that Ledger is still leaking some information or they have some dirty insider who is selling customer information.


https://www.reddit.com/r/ledgerwallet/comments/o22p55/is_this_nano_x_pcb_genuine_seen_some_reports/

Yeah, I realized in 2020 and 2021 that people are generally very naive and they would accept even a free snake as a gift if you tell them it's an egg that is good for them.
Scammers are playing on card of device replacement, but I am worried that fake devices are sent from France, like we can see on first fake package, and that could mean that someone who works in Ledger is still leaking customer information.

I agree to this. Although a rather dangerous collectible, it would be interesting to have.
(Un?)Luckily only my email has leaked out, no shipping address.



I'm impressed by the ingenuity of these guys, it's quite an elaborate scam and it's probably not cheap to pull it off, but I think that unfortunately some will fall for it   so get ready for a new bunch of unhappy customers which will probably end up here  

Thanks for the heads up, OP.

OP, thanks for posting this.  When I downloaded the latest update (the one that was only available on Ledger's own site), I saw multiple warnings about scammers so I suspected something was up.

Hopefully I won't receive one of these fakes--but part of me thinks it'd be neat if I did, since there's no way in hell I'd plug it into my computer.  It'd be a nice kinda-sorta "collectible" and a piece of crypto's history to look back at years down the road.  There are some people who collect counterfeit coins (I'm talking metal coins here), since they have historical value if nothing else.

Aside from that, this is a great warning to anyone reading who might have been fooled by a new Ledger arriving in the mail.  Doubtless some people wouldn't think twice about ripping it open and trying to use it right away.  You'd think anyone with a substantial amount of crypto wouldn't fall for such a scam, but you never know.  Anyone is a potential victim if they don't know better.

If you think that the device in your hands is malicious, then the last thing you want to do is plug it in to your main computer to attempt to update the firmware. Doing so allows any malicious software on the tampered device to infect your computer, never mind showing you fake prompts asking for your seed phrase.

If you think the device has been tampered with, you should open it to compare the look of the hardware within by following Ledger's guide here: https://support.ledger.com/hc/en-us/articles/360019352834-Check-hardware-integrity

If you want to plug it in to a computer, plug it in to a live OS, preferably on a secondary computer which you don't use for anything important.

What can be most dangerous is to have a clonned hardware wallet, or the one that has been tamparred with. The one above falls under this category. Entering seed phrase on such fake hardware wallet will surely lead to the attackers to be able to access the seed phrase, even possibly along with the passphrase if included. The question is, how can someone differentiate the origin from the fake? There should be a way. Although, I prefer Trezor which is completely open source, but this data breach can happen to any company that are collecting buyer's data on their database, this should make us careful of the information we are given out.

If Electrum can support more than Bitcoin, it would have been the best approach than given data to the another party, well also a reputed reseller can help, but they can also have a compromised hardware wallet to sell, who knows. Using electrum as a cold storage and having another one as watch-only will not require for any kyc or user's information collection on any database, this has been effective for Bitcoin holding, but users that like to hold other cryptocurrencies  are the ones going for hardware wallet.

You probably remember multiple Ledger database leaks that exposed private customer information and addresses for millions of ledger customers, and this is still available in public so both fbi and scammers have all those information.

Scammers have been texting customers, sending them threats with sms, fake emails but their latest trick is even more dangerous because they started to send fake replacement Ledger devices to selected customers even if they didn't order anything.

Attackers even created fake ledger bag and sealed ledger box to match original Ledger Nano X wallet with their own instructions, and sent letter explaining why customer need to replace their wallet.

 

Fake Instructions is asking users connect the Ledger to their computer, than import recovery phrase from their old device, and that is sent to the attackers who imports it on their own devices and steal crypto.



Guy who received this fake ledger opened the device that was later compared with original device and you can see the clear difference inside both front and back as well as some sloppy soldering work.

They added a flash drive inside Ledger case and wired it to the USB connector with the purpose to be used for malware delivery to attackers.

 

This was first reported on ledger reddit by member jjrand who was confirmed victim of data breach, but he was not the only one to receive it.

BEWARE that anyone who ordered ledger wallet before and got his address leaked is in danger of receiving one of this fake devices.

https://www.reddit.com/r/ledgerwallet/comments/o154gz/package_from_ledger_is_this_legit/