Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Hardware wallets
Pages:
Author

Topic: Ledger wallet App Isolation Bypass Alert - page 2. (Read 304 times)

NeuroticFish
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Re: Ledger wallet App Isolation Bypass Alert
August 05, 2020, 06:59:39 AM
#4
Quote from: dkbit98 on August 04, 2020, 11:42:19 AM
What is easy solution for regular users?
- Avoid using any altcoin apps in Ledger walet.

Aaaand this pretty much makes Ledger Nano X no longer worth buying.

Although I'd add something else too:

What is easy solution for regular users?
- Keep on daily use hardware wallets only the funds you use often (and keep the HODL funds separately).
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Ledger wallet App Isolation Bypass Alert
August 05, 2020, 05:04:31 AM
#3
Quote from: ?? on ??
But based on the date on Ledger's page, looks like they just starting to make the fix after the article is published since the article mention there's no response from Ledger before the vulnerability is publicly disclosed.
There's some more context in this reddit thread: https://www.reddit.com/r/ledgerwallet/comments/i3kr76/new_ledger_vulnerability/g0c2x7i/. btchip is one of Ledger's co-founders and executive. The TL;DR is that they knew about it, were working on it, but missed the deadlines because of COVID and being busy dealing with the data leak. That I could maybe accept if they had previously made a post saying "There is a vulnerability and here is what you need to do about it until we get it fixed", but to leave all their users completely in the dark is unacceptable.

Quote from: ?? on ??
Ledger reputation is going downhill quickly in this year.
Agreed.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Ledger wallet App Isolation Bypass Alert
August 04, 2020, 02:15:00 PM
#2
A fix is in the works, but has not yet been released - https://donjon.ledger.com/lsb/014/. It seems Ledger was notified of this via their bounty program months ago, and have been working on the fix, so it's not entirely clear why they haven't released it yet before this was made public. Apparently it will released in the next few days.

Until then, you should either avoid using altcoins stored on your Ledger altogether as dkbit98 has said, or if you must use altcoins then first transfer your bitcoin to a separate wallet. You could generate a new wallet on your Ledger by using a brand new passphrase and move all your bitcoin to there, which would let you continue to use your altcoins without risk to your bitcoin.
dkbit98
legendary
Activity: 2212
Merit: 7064
Re: Ledger wallet App Isolation Bypass Alert
August 04, 2020, 11:42:19 AM
#1
Website Monokh released report for new vulnerability found in wallet can lead to theft of user funds.
Anyone using Bitcoin forks (Litecoin, BCash, testnet Bitcoin etc.) could e affected with this issue.

Ledger was informed about this but it still remain unaddressed!


Quote
Summary

The ledger device exposes bitcoin (mainnet) public key and signing functionality outside of the "Bitcoin" app. It presents misleading transaction confirmation requests indicating the selected app's addresses and amounts when in fact different transactions are being signed.

Quote
The issue

It was discovered that for Bitcoin and Bitcoin forks, the device exposes it's functions for any of the assets. In other words, having unlocked the Litecoin app, you will receive a confirmation request for a Bitcoin transfer while the interface presents it as a transfer of Litecoins to a Litecoin address. Accepting the confirmation produces a fully valid signed Bitcoin (mainnet) transaction.

Quote
Steps to reproduce:

    Open the Litecoin app

    Retrieve mainnet bitcoin (segwit) addresses using getWalletPublicKey('84'/0'/0'/').publicKey

    Query UTXOs and construct a bitcoin transaction to spend outputs

    Send createPaymentTransactionNew(...) to prompt device for signing this transaction

    Receive Bitcoin Mainnet valid signed transaction

Expectation: Ledger device should throw an error at step 2 and step 4 and prevent execution

Actual: Ledger prompts user for a litecoin transaction and produces a valid signed transaction spending the Bitcoin utxos

Quote
Impact

The implications are serious. As briefly covered, users expect to be protected by the ledger device when they have not unlocked their Bitcoin app. Yet, while having an altcoin unlocked, external applications can still:

-   Read the Bitcoin xpub (thereby knowing all addresses belonging to the wallet)
-   Prompt Bitcoin transactions from the device that will be displayed as altcoin transactions

What is easy solution for regular users?
- Avoid using any altcoin apps in Ledger walet.

Website source:
https://monokh.com/posts/ledger-app-isolation-bypass
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Hardware wallets
Jump to: