Vulnerability in the Ledger Bitcoin App Discovered

Captain-Cryptory

newbie

Activity: 23

Merit: 853

Quote from: joniboini on June 08, 2020, 08:04:52 AM

Quote from: ?? on ??

UPD: got ~~2.2.3~~ 2.3.2 (after updated 1.2.0) working but no further progress.

Do you still have this problem? What's the log said about it? If it crash then there should be something on Event Viewer.

I'd rather wait for the new version Electrum instead of using Ledger Live if I ever update my firmware btw.

Everything is "in-between" state so far. 2.4.1 LL is unstable at launching on one of my computer upgraded to the latest release of Windows 10 numbered as 2004 while it is completely refuses to be launched on the second device run under Win 10, 1909. Having not to too much of free time I have left it alone for a while. Reference to the record of Event Viewer is over there https://bitcointalksearch.org/topic/ledger-live-210-220-223-installers-and-uninstallers-flagged-as-malware-5241444

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: hugeblack on June 05, 2020, 03:53:46 AM

The strange thing is, why did the firmware update take about 90 days? I thought it was similar to what happened with Electrum, just upgrading to prevent popup notifications would suffice.

What kind of firmware update are you talking about? This is exclusively about software upgrades, more precisely Ledger Live and their BTC app. If you refer to Electrum phishing from 2018, then you pretty much mixed things up. This is something much more innocuous, and it's actually related to SegWit, not some vulnerability that has anything to do with Ledger or Trezor.

If someone could similarly manipulate the servers used by Ledger and Trezor, it would do enormous damage to those who would not be careful enough.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: ?? on ??

UPD: got ~~2.2.3~~ 2.3.2 (after updated 1.2.0) working but no further progress.

Do you still have this problem? What's the log said about it? If it crash then there should be something on Event Viewer.

I'd rather wait for the new version Electrum instead of using Ledger Live if I ever update my firmware btw.

hugeblack

legendary

Activity: 2702

Merit: 4002

I don’t know how this can be considered a Vulnerability, as it requires downloading any other wallet application or a fake Ledger Live to succeed. It also requires the user not to pay attention or not to cancel the transaction completely when he gets an error?

The strange thing is, why did the firmware update take about 90 days? I thought it was similar to what happened with Electrum, just upgrading to prevent popup notifications would suffice.

Edit:

Quote

Unfortunately, some third-party tools do not allow hardware wallets to obtain the previous transaction in case of SegWit inputs, which is why Trezor will not be able to sign transactions using these tools until they are updated to work correctly. Due to the responsible disclosure process, we were not able to inform the maintainers beforehand.
Web-based applications

It seems that the problem with third-party tools & obtain the previous transaction.

Pmalek

legendary

Activity: 2730

Merit: 7065

Yes, they mentioned that other wallets are affected as well, its not a problem that is exclusive to Ledger. And apparently it is an issue that is known and has been brought up several years ago.

bob123

legendary

Activity: 1624

Merit: 2481

The same vulnerability has been fixed by trezor.
This has something to do with segwit and other wallets are most likely affected too.

Trezor post: https://blog.trezor.io/latest-firmware-updates-correct-possible-segwit-transaction-vulnerability-266df0d2860

Rath_

legendary

Activity: 1876

Merit: 3132

Just for the record, this vulnerability is not specific to Ledger devices. This has been also fixed in the recent Trezor software update. Other hardware wallets might be affected as well.

Pmalek

legendary

Activity: 2730

Merit: 7065

A vulnerability been has discovered and rectified in the Bitcoin app on the Ledger Live hardware wallets. It affects Bitcoin as well as all forks of it. This exploit can't result in the accounts being emptied out but it allows a hacker to increase the transaction fees "without confirmation on the device".

This applies only to transactions containing at least one SegWit input. The subject would also have to use a fake Ledger software/wallet and be tricked into signing a transaction twice.

Ledger is saying that they don't have any records that this vulnerability has been exploited in the past.
A fix has already been released and Ledger Live users are suggested to update their software to version 2.4.1 and update their installed apps on their Ledger hardware wallets.

More info available here
https://support.ledger.com/hc/en-us/articles/360014191540-Massive-transaction-fees-in-BTC-and-BTC-based-apps
https://donjon.ledger.com/lsb/010/

Topic: Vulnerability in the Ledger Bitcoin App Discovered (Read 509 times)