Cryptocurrency is all the rage these days with numerous crypto-exchanges, currencies, and wallets cropping up all over the place. However, as it is with anything that is digital, there’s a big question of security related with cryptocurrency wallets.
Ledger, a France based company, has been selling a crypto-wallet for quite some time now, and has repeatedly claimed that its wallet is tamper-proof and can’t be hacked because of advanced security features such as ‘cryptographic attestation’ — something the company claims uses unforgeable digital signatures so that only authorised code can run on the wallet.
In 2015, Ledger officials even claimed that “There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key.” However, that claim has now been proven utterly false by a 15-year-old from the UK.
Saleem Rashid published his findings (and the proof-of-concept code for the attack) to his personal blog. Rashid was able to use his code to backdoor into the Ledger Nano S — a $100 wallet that the company has sold by the millions.
Rashid’s code is just 300 bytes long and makes the wallet generate pre-determined wallet addresses and recovery passwords already known to the attacker. This method could be used by a nefarious actor to change wallet destinations, and amounts to their own whims and fancies, thereby making the wallet completely useless, and even dangerous to have.
Rashid had privately disclosed the vulnerability to Ledger officials in November last year, and Ledger officials finally pushed out a fix two weeks back, claiming that the issue wasn’t critical — a claim that Rashid has publicly challenged.
Saleem Rashid is not taking Ledger’s word for the fix either and has said that he will look through the fix to figure out if it actually patches the vulnerability completely. Even if it has, Rashid believes that slight modifications to his code could still probably crack the Ledger wallet open.