Warning for Ledger Nano S users / buyers

RGBKey

hero member

Activity: 854

Merit: 658

rgbkey.github.io/pgp.txt

Quote from: LeGaulois on July 05, 2018, 05:16:08 AM

@RGBKey
Excuse me but where did you see the desktop application would be ready this month? By the way, people should be careful while using it the first weeks, who knows if it will have some bugs here and there. I personally will let others test it, once I am sure the app is free from bugs I will start to use it Grin

Quote from: everythingforsale on July 04, 2018, 07:25:34 AM

Thanks for sharing, I am just about to buy myself some of those Ledgers, because I've heard that this is the most secure way to store your cryptocurrency, now I would be extremely careful and aware.

If you had read the comments you wouldn't have this kind of post. See the post #23 above

Poster above me already linked the release date announcement, but you shouldn't have to worry about bugs as long as you're actually checking the information displayed on the device, like you should every time you're using it. If you sign a transaction with the wrong address/amount/fee, that's on you. A bug outside of that would be a much bigger deal and would likely ruin the ledger line of products.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: LeGaulois on July 05, 2018, 05:16:08 AM

Excuse me but where did you see the desktop application would be ready this month?

Ledger released an article in february, stating the release would be july:

Quote

Update June 5th: the release date of the new version of the Ledger Wallet desktop edition is scheduled to July 9th

Source: https://www.ledger.fr/2018/02/23/announcing-new-ledger-wallet-desktop-mobile-applications/

But who knows whether their software will be completely done by then.. I wouldn't be suprised by a delay of 1 or 2 months.

LeGaulois

copper member

Activity: 2828

Merit: 4065

Top Crypto Casino

@RGBKey
Excuse me but where did you see the desktop application would be ready this month? By the way, people should be careful while using it the first weeks, who knows if it will have some bugs here and there. I personally will let others test it, once I am sure the app is free from bugs I will start to use it Grin

Quote from: everythingforsale on July 04, 2018, 07:25:34 AM

Thanks for sharing, I am just about to buy myself some of those Ledgers, because I've heard that this is the most secure way to store your cryptocurrency, now I would be extremely careful and aware.

If you had read the comments you wouldn't have this kind of post. See the post #23 above

notaek

legendary

Activity: 1268

Merit: 1009

There are three main scenarios where a hardware wallet can get compromised:

Blatant stealing of coins by untrustworthy resellers: This happens when someone buys a hardware wallet at a "cheaper price" from 3rd party resellers who aren't endorsed by the companies and falls victim without knowing that they are using the per-generated wallet with shared private keys. The cheaper price is the catch here.

Locating and replacing the receiving address from the Ledger wallet JavaScript file: It requires an attacker to replace the receiving addresses of victim to his own static address where the victim will send coins to the attacker. This compromise is quite complex and requires quite a bit of social engineering.

Fooling the MCU of victim's device: In this case a 3rd party seller can inject his own seed into the device in such a way that whenever a victim plugs in for the first time, it generates their injected seed instead of a random one. This was quite a concerning vulnerability but the Ledger Team has patched it in the next firmware update since its release.

Its fairly obvious by now that every buyer should do their due diligence before purchasing a hardware wallet and storing their fortunes into it.

everythingforsale

full member

Activity: 206

Merit: 100

Thanks for sharing, I am just about to buy myself some of those Ledgers, because I've heard that this is the most secure way to store your cryptocurrency, now I would be extremely careful and aware.

RGBKey

hero member

Activity: 854

Merit: 658

rgbkey.github.io/pgp.txt

The first article you link to contains a niche security vulnerability which has already been patched. The second article you link to requires someone having access to files on your machine, and if they can do that then you're already in a world of hurt. Additionally, a new Ledger desktop app is scheduled to be released this month, so that second article will no longer be relevant.

Bervelukan

newbie

Activity: 140

Merit: 0

Thank you for your suggestions and notices, if we put bitcoin in the wallet, we must provide a security code to protect our coins.

faithupgrade

sr. member

Activity: 475

Merit: 253

ARCS - A New World Token

This is big lesson, never buy a hardware wallet from affiliate sites. You must buy it from the original manufacturer. Otherwise you will invest from a wallet where sellers knows already the privatekeys.

PrudnikovLS

newbie

Activity: 113

Merit: 0

That's why people should buy these devices on the official website and check them before starting active use. I heard a lot of stories on the Internet and this feeling is formed, as if people do not learn from other people's mistakes.

litecoinricky

jr. member

Activity: 171

Merit: 3

I need a break!

Quote from: GoldenLad on May 11, 2018, 08:38:05 AM

I would always go for hardware wallet. I know most people might have seen it as not being the best, but the truth is , every bitcoin storing method has its own disadvantages and also their advantages. Paper wallet is good, but there is a tendency of easily getting destroyed. Hardware wallet is good also but the idea of been tampered by a third party gave it away negatively. What I suggest you should do is to reset it upon arrival before you use it.

I only started this thread to warn others from making a mistake if it saves just 1 person from losing there funds then im happy

I think you advice is good, also ive seen ledger have updated the firmware again, and said to always check the address on the ledger screen, and all should be fine.

Even though I started this thread as a warning about this device, I still think that its a good piece of kit, just make sure you only buy from ledger, and update the firmware every time a new one is released, and always check the tx address on the ledger screen itself, and all should be safe.

GoldenLad

member

Activity: 252

Merit: 12

I would always go for hardware wallet. I know most people might have seen it as not being the best, but the truth is , every bitcoin storing method has its own disadvantages and also their advantages. Paper wallet is good, but there is a tendency of easily getting destroyed. Hardware wallet is good also but the idea of been tampered by a third party gave it away negatively. What I suggest you should do is to reset it upon arrival before you use it.

Shamie1002

full member

Activity: 406

Merit: 102

I was thinking the same thing.
I really do not trust buying such hardware wallets that are not produced by the official site are fake or not as safe as the one from the site itself.

I was planning to buy one but when I checked the site they were out of stock and just forgot about the whole thing of buying one.
I was very y bothered when I was checking other sites for cheaper and nearer one and grateful that I haven't bought.
I thought that if I will be buying a cheaper one and would risk a greater part of my earned money to that, it is a definite stupidity

litecoinricky

jr. member

Activity: 171

Merit: 3

I need a break!

Quote from: lillyann on May 08, 2018, 05:05:34 PM

Ledger Nano S has long been known to have software vulnerabilities. I also touched on this topic. I wonder how the producer wants to sell a wallet that does not give much security ...

I had read many reviews rating this device as brilliant, and seen many claims thats its 100% secure, thats why I felt the need to start this thread as soon as I realised its not 100% safe.

I think the producer is claiming the latest firmware fixes things, but the hackers claim not, so who knows ? Not me Sad

Radio-Active

member

Activity: 523

Merit: 10

YOUC - https://www.youengine.io/

Quote from: litecoinricky on May 07, 2018, 07:43:18 PM

Hi Guys

I have been looking for a secure way to store the small amount of BTC I have, but also have quick access to it. So after asking members on here a few days ago I decided I would go for an hardware wallet.

Tonight I decided I would go for the Ledger Nano S.

I went to buy one off the official site but didn't have a BitPay account, so decided to look elsewhere, thats when I came across the info that this device is vulnerable to supply chain hacks, so if you have one and didn't get it from the official site you need to check your device.

News article about it here: https://techcrunch.com/2018/03/21/a-15-year-old-hacked-the-secure-ledger-crypto-wallet/

Heres info about the hack here https://medium.com/@thepariscormier/how-to-hack-a-ledger-hardware-wallet-c38a4ac49d59

I think if bought directly from ledger they should be safe, but if bought from anywhere else be extra careful, make sure its fully updated and confirm its safety with ledger if possible.

I hope this saves someone from losing out,
Rick

It seems they replace the generating seed on the wallet with their own generating seed by injecting it!
it is recommended to buy them for the official seller, not a shady seller or reseller.

Ashleybarnes2

newbie

Activity: 64

Merit: 0

Quote from: litecoinricky on May 07, 2018, 07:43:18 PM

Hi Guys

I have been looking for a secure way to store the small amount of BTC I have, but also have quick access to it. So after asking members on here a few days ago I decided I would go for an hardware wallet.

Tonight I decided I would go for the Ledger Nano S.

I went to buy one off the official site but didn't have a BitPay account, so decided to look elsewhere, thats when I came across the info that this device is vulnerable to supply chain hacks, so if you have one and didn't get it from the official site you need to check your device.

News article about it here: https://techcrunch.com/2018/03/21/a-15-year-old-hacked-the-secure-ledger-crypto-wallet/

Heres info about the hack here https://medium.com/@thepariscormier/how-to-hack-a-ledger-hardware-wallet-c38a4ac49d59

I think if bought directly from ledger they should be safe, but if bought from anywhere else be extra careful, make sure its fully updated and confirm its safety with ledger if possible.

I hope this saves someone from losing out,
Rick

One of the first bits of advice I was given when new to the space was to buy my wallet off the official website. I ended up waiting months for it to arrive. while waiting I come across numerous stories on telegram of people who had purchases nano s's off amazon only to be hacked a few weeks later. One thing I admit is that im extremely diligent when it comes to cyber security now!!

lillyann

member

Activity: 308

Merit: 11

Ledger Nano S has long been known to have software vulnerabilities. I also touched on this topic. I wonder how the producer wants to sell a wallet that does not give much security ...

bitart

hero member

Activity: 1442

Merit: 629

Vires in Numeris

Quote from: MinerHQ on May 07, 2018, 09:24:24 PM

Quote from: litecoinricky on May 07, 2018, 08:47:03 PM

Quote from: Seetheummerallyeah on May 07, 2018, 08:43:07 PM

Buying the ledger from 3rd parties is fine... you just have to make sure you create a NEW seed upon receiving it. The ebay guy used a seed given to him meaning his private keys were already shared with someone else

No thats not the issue, the problem is that one of the chips in the Nano Ledger S is not secure, and can be modified by third parties.

If you're not confident to use hardware wallet then the best way to save all your long-term coin is a paper wallet and keep your private keys safely so that you can use them when you want in future. But for the regular usage, some of the desktop wallets like Electrum will do the best job.

Long back I planned to buy hardware wallet and after considering all the risks involved I dropped my idea of using hardware wallet and stick to my desktop wallet, paper wallet and for immediate access, I also use online wallets like XAPO and blockchain.

Hardware wallets are not as bad, as long as you have a backup of your private key (or preferably the seed). It's the easiest solution for people who are not tech savvy and don't want to play around with airgapped PC to store the desktop wallet, or to spend from the paper wallet when the time comes...
Hardware wallets are easy to use, but as everything else in life, it needs a basic understanding about the usage of it. I won't advice to someone (who is not confident enough to use a hardware wallet) to use a paper wallet because it makes the whole situation even riskier, e.g. the user keys in the private key on an infected PC online, not on a fresh OS installation on an airgapped PC...
I would suggest to use mobile wallets (Android or IOS, but without root or jailbrake) and hardware wallets for the beginners, if they want to secure their precious coins...

MinerHQ

legendary

Activity: 1456

Merit: 1023

Quote from: litecoinricky on May 07, 2018, 08:47:03 PM

Quote from: Seetheummerallyeah on May 07, 2018, 08:43:07 PM

Buying the ledger from 3rd parties is fine... you just have to make sure you create a NEW seed upon receiving it. The ebay guy used a seed given to him meaning his private keys were already shared with someone else

No thats not the issue, the problem is that one of the chips in the Nano Ledger S is not secure, and can be modified by third parties.

If you're not confident to use hardware wallet then the best way to save all your long-term coin is a paper wallet and keep your private keys safely so that you can use them when you want in future. But for the regular usage, some of the desktop wallets like Electrum will do the best job.

Long back I planned to buy hardware wallet and after considering all the risks involved I dropped my idea of using hardware wallet and stick to my desktop wallet, paper wallet and for immediate access, I also use online wallets like XAPO and blockchain.

litecoinricky

jr. member

Activity: 171

Merit: 3

I need a break!

Quote from: Seetheummerallyeah on May 07, 2018, 08:43:07 PM

Buying the ledger from 3rd parties is fine... you just have to make sure you create a NEW seed upon receiving it. The ebay guy used a seed given to him meaning his private keys were already shared with someone else

No thats not the issue, the problem is that one of the chips in the Nano Ledger S is not secure, and can be modified by third parties.

Seetheummerallyeah

member

Activity: 280

Merit: 41

Buying the ledger from 3rd parties is fine... you just have to make sure you create a NEW seed upon receiving it. The ebay guy used a seed given to him meaning his private keys were already shared with someone else

Topic: Warning for Ledger Nano S users / buyers (Read 301 times)