Pages:
Author

Topic: WTB a Ledger Nano S (Read 413 times)

legendary
Activity: 1316
Merit: 1021
2009 Alea iacta est
February 03, 2018, 11:35:27 AM
#23
SECURITY

Ledger Receive Address Attack

https://www.docdroid.net/Jug5LX3/ledger-receive-address-attack.pdf


Overview
Crypto wallets consist of a private key for spending funds, and a public key for receiving funds.
Modern Crypto clients usually create a new receive address after every transaction.
This is done to better protect the privacy of the user, by spreading his funds across multiple addresses,
rather than one.
Receive addresses are normally generated automatically and are transparent to the wallet owner.
The Attack
Ledger wallets generates the displayed receive address using JavaScript code running on the host
machine.
This means that a malware can simply replace the code responsible for generating the receive address
with its own address, causing all future deposits to be sent to the attacker.
Because receive addresses are consistently changing as part of the usual activity of the wallet, the user
has no trivial way (like recognizing his address) to verify the integrity of the receive address.
As far as he knows, the displayed receive address is his actual receive address.
What Makes This Even Worse
-  All the ledger wallet software is located in the AppData folder, meaning that even an
unprivileged malware can modify them (no need to gain administrative rights).
-  The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files,
meaning they can be modified by anyone.
-  All the malware needs to do is replace one line of code in the ledger software, this can be
achieved with less than 10 lines of python code.
-  New ledger users would typically send all their funds to the wallet once initialized.
If the machine was pre-infected, this first transaction may be compromised causing the user to
lose all of his funds.
-  The attack changes the receive address during its generation, causing even the automatically
generated QR to be updated to the attacker’s address. Meaning that both the string and QR
representations of the address are compromised.
Proof of Concept
Open the file:
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User
Data\Default\Extensions\%EXTENSION_ID%\%EXTENSION_VERSION%\src\wallet\wallet.js
Replace the line:
return (_ref = this.wallet.cache) != null ? _ref.get(this.getCurrentPublicAddressPath()) : void 0;
With:
return “MY_MALICIOUS_ADDRESS”;
The next time you receive funds, all the funds will be sent to MY_MALICIOUS_ADDRESS.
Mitigation
Un undocumented feature, that isn’t even part of the official “Receiving BTC to your Ledger” article, can
in some cases help verify the integrity of the receive address.
On the bottom right part of the receive screen, a small monitor button exists. Pressing this button will
cause the receive address to show up on the hardware wallet’s screen.
This can be used to verify that the address is valid and has not been tampered.
Note that this process is not part of the default receive process, and is not enforced by the wallet.
A proper solution would be to enforce the user to validate the receive address before every receive
transaction, just like the wallet enforces the user to approve every send transaction.
Also, this undocumented feature only exists in the Bitcoin App.
The Ethereum App (and possibly other apps as well) has no mitigation, the user has no way to validate if
the receive address has been tampered.
Advice for Existing Ledger Customers
If you’re using the Bitcoin App – Before every receive transaction validate the integrity of the address
using the monitor button.
If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software-
based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At
least until this issue receives some kind of fix.
Responsible Disclosure
Unfortunately, Ledger doesn’t have an organized vulnerability disclosure program.
Nonetheless we contacted the CEO and CTO of Ledger directly in order to privately disclose and fix the
issue. We’ve received a single reply, asking to hand over the attack details. Since then all our mails have
been ignored for 3 weeks, finally receiving an answer that they won’t issue any fix/change.
Timeline:
4, January, 2018 – First contact with general information.
4, January, 2018 – CTO of Ledger requested the full details of the vulnerability.
4, January, 2018 – Full Details were sent.
10, January, 2018 – We’ve requested an update, no response.
13, January, 2018 – Again, we’ve requested an update, not response.
27, January, 2018 – CTO of Ledger replies that no fix/change would be done (our recommendation to
enforce the user to validate the receive address has been rejected), but they will work on raising public
awareness so that users can protect themselves from such attacks.



jr. member
Activity: 126
Merit: 1
February 03, 2018, 04:15:30 AM
#22
may be ebay? I saw there
newbie
Activity: 44
Merit: 0
February 02, 2018, 07:49:43 PM
#21
Don't buy any hardware wallet from people you don't know! I would not risk that - never!

I wrote a comparison about ledger vs tezor in case you are interested: https://bitcoincashback.net/Blog/how-to-get-started-with-Bitcoin-and-cryptocurrencies.html
sr. member
Activity: 1007
Merit: 279
Payment Gateway Allows Recurring Payments
February 01, 2018, 09:19:28 AM
#20
Payment received. Tracking details provided to the buyer. Parcel should be with you in 5-7 days.

A pleasure to do business with you.

Do you have any more? Or was it just the one?

I have three more, but I doubt I'll be selling unless the offer is good as I use them.
jr. member
Activity: 56
Merit: 115
Lowest EVER interest lending! (Use escrow always)
January 31, 2018, 06:41:37 PM
#19
Payment received. Tracking details provided to the buyer. Parcel should be with you in 5-7 days.

A pleasure to do business with you.

Do you have any more? Or was it just the one?
sr. member
Activity: 1007
Merit: 279
Payment Gateway Allows Recurring Payments
January 31, 2018, 10:26:29 AM
#18
Payment received. Tracking details provided to the buyer. Parcel should be with you in 5-7 days.

A pleasure to do business with you.
full member
Activity: 289
Merit: 100
January 31, 2018, 01:50:40 AM
#17
I have a sealed one for sale for like $150 only shipping domestically though.

Don't wanna deal with customs.

Side note where was this rush of people when I was selling 100 nanos for $40 each lol.

I wish I was heavily involved in crypto then as I am now haha. If you were still selling them that cheap, I would take you up on that offer Tongue
sr. member
Activity: 546
Merit: 250
Maybe a fed.
January 31, 2018, 01:02:34 AM
#16
I have a sealed one for sale for like $150 only shipping domestically though.

Don't wanna deal with customs.

Side note where was this rush of people when I was selling 100 nanos for $40 each lol.
jr. member
Activity: 56
Merit: 115
Lowest EVER interest lending! (Use escrow always)
January 30, 2018, 06:12:34 PM
#15
I can get you a sealed Nano for $320, and you pay shipping fees from Dubai/Singapore to your location.
sr. member
Activity: 1007
Merit: 279
Payment Gateway Allows Recurring Payments
January 30, 2018, 05:35:08 AM
#14
The Ledget Nano S is completely safe against tampering, if it was hacked it would be all over the internet by now.

As stated previously, I've got a used one for sale for $150, you can reset it to generate a new seed phrase, set your own password etc.

The price is $150 for it, including shipping to Europe, if shipping to US the price is $5 extra.

Pictures can be provided upon agreement.

$150 for used lolx, new price is $120 including shipping.

Where can you get a new one for $120?

Edit: They're sold out everywhere at retail price, with no new shipments until April as far as I'm aware.
sr. member
Activity: 728
Merit: 250
Go Big or Go Home
January 30, 2018, 05:32:02 AM
#13
The Ledget Nano S is completely safe against tampering, if it was hacked it would be all over the internet by now.

As stated previously, I've got a used one for sale for $150, you can reset it to generate a new seed phrase, set your own password etc.

The price is $150 for it, including shipping to Europe, if shipping to US the price is $5 extra.

Pictures can be provided upon agreement.

$150 for used lolx, new price is $120 including shipping.
sr. member
Activity: 1007
Merit: 279
Payment Gateway Allows Recurring Payments
January 30, 2018, 05:27:46 AM
#12
The Ledget Nano S is completely safe against tampering, if it was hacked it would be all over the internet by now.

As stated previously, I've got a used one for sale for $150, you can reset it to generate a new seed phrase, set your own password etc.

The price is $150 for it, including shipping to Europe, if shipping to US the price is $5 extra.

Pictures can be provided upon agreement.
sr. member
Activity: 1344
Merit: 307
January 30, 2018, 04:42:54 AM
#11
Regardless of if you buy from a third party or officially from ledger, you still want to make sure it is protected from tampering. One way is to generate a fake seed, reset the device and restore seed and if it restores, then you should be fine. You could also make sure to generate multiple seeds (to make sure its not hard coded to one seed, though I do recommend enabling additional passphrase for extra security in the event youre unsure). Ledger software should also see the nano s and be able to manage apps, and be able to update firmware. All in all, you should be fine, but if youre not sure, contact ledger (though you may want to use their subreddit since support havent been very responsive). I would recommend using an escrow though unless the person youre buying from is trusted.
sr. member
Activity: 728
Merit: 250
Go Big or Go Home
January 30, 2018, 04:09:47 AM
#10
Don't buy from someone, its not safe. Buy from official site.
legendary
Activity: 2758
Merit: 6830
January 30, 2018, 12:27:35 AM
#9
Just some similar buy thread i would recommend you to read

https://bitcointalksearch.org/topic/--2651524


Buying Ledger from third party is not safe at all
Isn't Ledger safe against tampering?

That's what I found on Ledger's website[1]: "There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key."

About the post linked above, I see that there was nothing wrong with the Nano S device bought from the third-party. The only issue was that the user used a pre-generated seed that came with the device to restore a compromised wallet. It's like creating a website that provides real binaries from the Electrum website but with this kind of warning: "When creating your wallet, select 'I already have a seed' and write '' to generate a safe wallet".

[1] https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/
full member
Activity: 289
Merit: 100
January 29, 2018, 11:45:44 PM
#8
Just some similar buy thread i would recommend you to read

https://bitcointalksearch.org/topic/--2651524


Buying Ledger from third party is not safe at all

Thank you for the advice. I'm well aware of the risks. The person who was scammed didn't set up their own passphrase it seems.

I'm just being impatient, but I'll keep that in mind.
legendary
Activity: 2828
Merit: 1222
Just looking for peace
January 29, 2018, 11:24:04 PM
#7
Just some similar buy thread i would recommend you to read

https://bitcointalksearch.org/topic/--2651524


Buying Ledger from third party is not safe at all
full member
Activity: 289
Merit: 100
January 29, 2018, 02:18:16 PM
#6
There should be resellers who can ship it out quickly. There is an official list here. https://www.ledgerwallet.com/retailers You should be able to find a store that ships to your country, and it's more safe.

Thanks for the tip. I'll look these over to see if they ship to me.
full member
Activity: 289
Merit: 100
January 29, 2018, 02:16:46 PM
#5
Please state your price, I've got a used one, but you can reset it with a new seed etc.

Could I see pictures of it? I can do $120 worth of ETH for it.
sr. member
Activity: 1007
Merit: 279
Payment Gateway Allows Recurring Payments
January 29, 2018, 05:45:58 AM
#4
Please state your price, I've got a used one, but you can reset it with a new seed etc.
Pages:
Jump to: