Ledger wallet App Isolation Bypass Alert

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: TryNinja on August 07, 2020, 12:37:36 PM

Considering that the guy that reported the vulnerability about Ledger didn’t even mention Trezor, I also assume #2 is correct. Trezor also only fixed the issue after the report, so he would certainly also call them out.

This makes sense, but i wonder why he didn't also report the vulnerability to trezor.
He might have been able to get another bounty reward.

It probably wouldn't be too much additional work to test it on a trezor.
I guess he maybe didn't have a trezor lying around Huh

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: bob123 on August 07, 2020, 12:31:36 PM

But the question was whether there was a bug bounty from trezor (just like with ledger) through which they received the information regarding this or whether they just checked their HW wallet after seeing ledgers being vulnerable to that.
And in this case i'd guess its #2 because their bug bounty page doesn't show anything related to this vulnerability.

Considering that the guy that reported the vulnerability about Ledger didn’t even mention Trezor, I also assume #2 is correct. Trezor also only fixed the issue after the report, so he would certainly also call them out.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: TryNinja on August 07, 2020, 10:13:03 AM

They did release an update (to the Trezor One) to address issues related to this vulnerability: https://blog.trezor.io/firmware-updates-for-trezor-model-t-version-2-3-2-and-trezor-model-one-version-1-9-2-f4f9c0f1ed7c

Quote

Missing path isolation check

We have amended our Trezor One code to include a missing path isolation check, which is already in place for the Trezor Model T. This check prevents a user from spending coins from known paths (BIP44, BIP49, BIP84), if the coin type does not match the path. Without this check, an attacker could trick the user into signing a Bitcoin transaction while thinking they are signing a testnet or altcoin transaction.

Yes, that's the quote i have posted.
But the question was whether there was a bug bounty from trezor (just like with ledger) through which they received the information regarding this or whether they just checked their HW wallet after seeing ledgers being vulnerable to that.
And in this case i'd guess its #2 because their bug bounty page doesn't show anything related to this vulnerability.

Pmalek

legendary

Activity: 2730

Merit: 7065

I find it quite worrying that their security team decided to sit on this vulnerability for several months while working on other things. Using COVID-19 as an excuse is shameful. They started testing the new Bitcoin app only when the deadline was reached. It is even worse that the fix came out just one day after the vulnerability was made public. That means that it was pretty easy for their team to fix it, they just didn't care or took their time to do it before.

As a Ledger user, this makes me think is this a company I should trust with my Bitcoin?!

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: bob123 on August 07, 2020, 06:26:36 AM

Quote from: o_e_l_e_o on August 06, 2020, 02:08:06 PM

Is there any suggestion that there was a similar bug bounty submitted to Trezor, or have they just seen the Ledger one, examined their own devices, and realized they were also susceptible?

I guess only Trezor knows.
But according to https://trezor.io/security/, there hasn't been such a vulnerability reported and fixed.

So i would assume, they checked their device upon seeing the vulnerability affecting Ledger. But only a guess tho.

They did release an update (to the Trezor One) to address issues related to this vulnerability: https://blog.trezor.io/firmware-updates-for-trezor-model-t-version-2-3-2-and-trezor-model-one-version-1-9-2-f4f9c0f1ed7c

Quote

Missing path isolation check

We have amended our Trezor One code to include a missing path isolation check, which is already in place for the Trezor Model T. This check prevents a user from spending coins from known paths (BIP44, BIP49, BIP84), if the coin type does not match the path. Without this check, an attacker could trick the user into signing a Bitcoin transaction while thinking they are signing a testnet or altcoin transaction.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: o_e_l_e_o on August 06, 2020, 02:08:06 PM

Is there any suggestion that there was a similar bug bounty submitted to Trezor, or have they just seen the Ledger one, examined their own devices, and realized they were also susceptible?

I guess only Trezor knows.
But according to https://trezor.io/security/, there hasn't been such a vulnerability reported and fixed.

So i would assume, they checked their device upon seeing the vulnerability affecting Ledger. But only a guess tho.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: o_e_l_e_o on August 06, 2020, 02:08:06 PM

Is there any suggestion that there was a similar bug bounty submitted to Trezor, or have they just seen the Ledger one, examined their own devices, and realized they were also susceptible?

Such information does not exist (at least I did not find it anywhere), so we can assume that the Trezor fix (new firmware) most likely has something to do with Ledger. If we look through history of Ledger&Trezor, they have identical or similar vulnerabilities, and the only difference is who will fix them first. Of course the difference is also that some things in Trezor case can’t be fixed with new firmware, which in my opinion is an even greater cause for concern.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18748

Quote from: dkbit98 on August 06, 2020, 11:56:16 AM

I said it before, from the moment when they started to include all of the shitcoins and forks, that this will only hurt them in the long run.
They should better focus on privacy features and improving LedgerLive with adding Tor for example, and remove that stupid ads.

Agreed. I've also said before that it is ridiculous that they are focusing on adding shitcoin support when Ledger Live still doesn't allow address or UTXO control/management. I initially refused to use it over Electrum because of the UTXO control, but as time goes on and they add a ridiculous trading platform and ads (ads in a product I've already paid for, no less), as well as the horrendous privacy concerns, I'm glad I never use it and it will take some significant changes before I ever do use it.

Quote from: bob123 on August 06, 2020, 12:07:25 PM

restraining from trading shitcoins for a while will keep you safe.

This applies to pretty much everything to do with crypto, not just hardware wallets. Tongue

Is there any suggestion that there was a similar bug bounty submitted to Trezor, or have they just seen the Ledger one, examined their own devices, and realized they were also susceptible?

bob123

legendary

Activity: 1624

Merit: 2481

The same vulnerability seems to have affected Trezor:

Quote from: https://blog.trezor.io/firmware-updates-for-trezor-model-t-version-2-3-2-and-trezor-model-one-version-1-9-2-f4f9c0f1ed7c

Missing path isolation check

We have amended our Trezor One code to include a missing path isolation check, which is already in place for the Trezor Model T.
This check prevents a user from spending coins from known paths (BIP44, BIP49, BIP84), if the coin type does not match the path.
Without this check, an attacker could trick the user into signing a Bitcoin transaction while thinking they are signing a testnet or altcoin transaction.

While this vulnerability definitely poses some risk, it is not the worst one could imagine.
Not using a compromised computer / fake version of a wallet or restraining from trading shitcoins for a while will keep you safe.

dkbit98

legendary

Activity: 2212

Merit: 7064

I said it before, from the moment when they started to include all of the shitcoins and forks, that this will only hurt them in the long run.
They should better focus on privacy features and improving LedgerLive with adding Tor for example, and remove that stupid ads.
I don't like to see them every time I need to update.

This is what I got this time, and I had to restart several times to get it working and updating.

I hope they will learn something from this.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18748

Quote from: Lucius on August 06, 2020, 04:36:41 AM

they think that the possibility of a successful attack (although the possibility exists) is very small.

I think this vulnerability was particularly bad, actually. Lots of people claim bitcoin forks such as cash, gold, diamond, private, etc. Lots of people who claim these forks have never used those respective coins or their wallets before, and are unfamiliar with the processes involved. There have been quite a few instances of people losing all their fork coins to malicious wallets. Imagine now if these people had also lost all their bitcoin, via a vulnerability Ledger knew about but hadn't fixed or warned anyone about?

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: o_e_l_e_o on August 05, 2020, 09:50:05 AM

Quote from: Lucius on August 05, 2020, 08:38:31 AM

I’m just wondering if they’ll finally realize that security comes first, and only then add support for various shitcoins and options to buy coins directly via Ledger Live.

That's actually a very good point. Ledger Live trading was launched a couple of months ago, which means they were developing and launching this while they were fully aware of this bug. COVID and holidays aren't an issue when it comes to launching a service with ridiculous fees to bump up their profits it seems. Roll Eyes

And it is more than clear why Ledger, as a company, takes such a rather frivolous stance when it comes to discoveries like this - they think that the possibility of a successful attack (although the possibility exists) is very small. And to be honest, every vulnerability found is fixed sooner or later - fact is that there is no documented case of someone being hacked for any security vulnerability, which still makes a hardware wallet one of the more secure ways to store crypto.

However, I believe that Ledger must pay more attention to security and test its devices for all possible attacks on a daily basis. Everything that has been happening lately is just the result of the company's wrong business policy - and in addition to the already mentioned Ledger Live trading options, there are also Ledger branded clothing and Ledger metal backup plates.

Personally, I have nothing against it - but security should come first, no matter how trivial it may seem from a security point of view.

HCP

legendary

Activity: 2086

Merit: 4361

Quote from: https://donjon.ledger.com/lsb/014/

2020-08-02 90 days deadline reached. Ledger started the test and release process for the fixed Bitcoin app.

Ummmm what? They only started the test and release process after the deadline was reached??!? Huh

They had nearly 3 months to sort this out... and apparently had the "fix" done but not tested on deadline day??!? Shocked

Ledger
|
|
|
|
v
Ball

Roll Eyes

o_e_l_e_o

legendary

Activity: 2268

Merit: 18748

Sit on the problem for 3 months, claim that they are too busy to fix it, blame COVID and the holidays, and then push a fix 24 hours after the bug is publicly revealed due to community backlash. At the moment I still prefer my Ledger devices over my Trezor devices due to the unfixable Trezor vulnerability, but this really isn't a good look for Ledger as a company.

At least it's fixed. Everyone make sure to update. And if you haven't already, think about creating properly airgapped and encrypted cold storage.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Actually Ledger folks seem to have made a fix.
I've just read this:

Quote from: https://mobile.twitter.com/Ledger/status/1291061084435238912

The Bitcoin app that fixes the issue in Bitcoin derivative apps is available -- for Nano X and Nano S. You can update your app on Ledger Live now.

On Twitter there are more linked posts there.

dkbit98

legendary

Activity: 2212

Merit: 7064

I don't use any shitcoin apps in Ledger so I am not affected so much, but I think Ledger reputation is going down with elevator speed Tongue

Pure shit I tell you!
And Ledger gang is very quiet Grin

Quote from: o_e_l_e_o on August 05, 2020, 09:50:05 AM

That's actually a very good point. Ledger Live trading was launched a couple of months ago, which means they were developing and launching this while they were fully aware of this bug.

That is true.
Author or this article (who informed them about this issue) had to release his own article (monokh.com) and force them to address this issue.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18748

Quote from: hugeblack on August 05, 2020, 07:39:46 AM

even as the responses were worrying

COVID and the data breach I could accept. Holidays is unacceptable. If you have a critical vulnerability that can result in your users losing all their bitcoin, I expect people to be working overtime to get it fixed ASAP. And they knew about it for months. The entire security team was on holiday for 3 months? Come on.

Quote from: hugeblack on August 05, 2020, 07:39:46 AM

I do not think that the risk includes all altcoins, but all Bitcoin Hardforks.

Ledger released a list of all the coins affected on the link I shared above: https://donjon.ledger.com/lsb/014/

Quote from: Lucius on August 05, 2020, 08:38:31 AM

I’m just wondering if they’ll finally realize that security comes first, and only then add support for various shitcoins and options to buy coins directly via Ledger Live.

That's actually a very good point. Ledger Live trading was launched a couple of months ago, which means they were developing and launching this while they were fully aware of this bug. COVID and holidays aren't an issue when it comes to launching a service with ridiculous fees to bump up their profits it seems. Roll Eyes

I use very few altcoins, the ones I do use wouldn't make my bitcoin susceptible, and the altcoin wallets I do have are stored under different passphrases from my bitcoin wallets, so it wouldn't matter anyway, but I am incredibly unimpressed by Ledger's attitude to this.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: Lucius on August 05, 2020, 08:38:31 AM

It's not just the Nano X, all models have the same vulnerability

My point was that if you don't use it for altcoins you can simply just buy the cheaper Nano S or the cheapest Trezor.
But you're right, I was not clear enough on that.

Of course that the wallet has to be malicious, but we already had a good share of such wallets exactly for "cashing in" various Bitcoin hard forks.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: ?? on ??

Ledger reputation is going downhill quickly in this year.

There is no doubt about it at all, the bad news comes one after the other and we can only wonder what is next. I’m just wondering if they’ll finally realize that security comes first, and only then add support for various shitcoins and options to buy coins directly via Ledger Live.

Quote from: NeuroticFish on August 05, 2020, 06:59:39 AM

Aaaand this pretty much makes Ledger Nano X no longer worth buying.

It's not just the Nano X, all models have the same vulnerability - but still, in order for someone to take advantage of this vulnerability, certain conditions must be met - and everything I read comes down to someone using a fake version of the wallet. The following comment perhaps best describes the situation:

Quote from: https://www.reddit.com/r/ledgerwallet/comments/i3kr76/new_ledger_vulnerability/

Crypto-Guide
For someone to steal your funds, so that you send it to them, the attacker has to supply both the malicious wallet and the address to send to on the altcoin chain. The user would also need to have enough Bitcoin for the amount to match as well, someone won't be confirming 5 LTC on device and then sending some different amount of Bitcoin... The crux of the argument for this one is basically that people won't even bother to check the ledger for altcoins, but this is true with any hardware wallet... (Eg if people don't check, they probably won't even notice if it were for a different coin)

Like the "double confirmation" type vulnerability, this one is more likely to result in someone being ticked in to sending their coins down hole. The main issue with this one is really a potential loss of privacy due to a wallet querying public keys beyond the scope of the "normal" derivation path.

In my mind, this is can only really be considered a vulnerability by some because Ledger oversold how segregated the coin apps are on the marketing side... A user has to be careless in multiple ways to actually lose funds to this one.

hugeblack

legendary

Activity: 2702

Merit: 4002

I have read that this vulnerability was reported on May 4^[1], so monokh committed to the three-month period before the vulnerability was announced which was yesterday.

It is strange that Ledger support team did not move to fix it and they had about 3 months to repair and improve their reputation, even as the responses were worrying^[2].

Quote

What is easy solution for regular users?
- Avoid using any altcoin apps in Ledger walet.

I do not think that the risk includes all altcoins, but all Bitcoin Hardforks.

this is the list of effective coins:

source ----> https://unhashed.com/bitcoin-cryptocurrency-forks-list/
Read about other altcoins ---> https://unhashed.com/bitcoin-cryptocurrency-forks-list/

[1] https://monokh.com/posts/ledger-app-isolation-bypass
[2]

Quote

the release date was unfortunately overlooked because holidays, covid and other issues.

Topic: Ledger wallet App Isolation Bypass Alert (Read 304 times)