Three researchers and engineers have published a presentation from the 35th Chaos Communication Congress revealing claimed vulnerabilities in cryptocurrency hardware wallets. Trezor and Ledger have responded saying in short, their user’s cryptocurrency balances are safe.
Dmitry Nedospasov, Thomas Roth, and Josh Datko, created the website wallet.fail and promised to publish their presentation to the Chaos Communication Congress online after the event. Within 24 hours the researcher’s claims have been published and two leading hardware wallet makers have responded.
Ledger Says Your Crypto Assets Are Secure
Ledger has gone all out in response with a blog post saying that although it is happy to see people challenging its security that:
They presented 3 attack paths which could give the impression that critical vulnerabilities were uncovered on Ledger devices. This is not the case.
Despite the researchers saying they all “love cryptocurrency” and are cryptocurrency owners themselves Ledger also seems somewhat disappointed adding:
In the security world, the usual way to proceed is responsible disclosure… We regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.
Ledger also believes the three researchers did not provide “practical vulnerabilities.”
Firstly, the researchers performed an attack that modified the physical wallet and used malware on the cryptocurrency owner’s PC in combination with a potential attacker in a nearby room needing to remotely enter the hacked PIN and launch the cryptocurrency application. Ledger says of this type of attack:
It would prove quite unpractical, and a motivated hacker would definitely use more efficient tricks.
Secondly:
They tried to perform a supply chain attack by bypassing the MCU check, but they did not succeed. The MCU manages the screen but doesn’t have any access to the PIN nor the seed, which are stored on the Secure Element.
Though Ledger does acknowledge there is a bug in its firmware update function which allowed the researchers to add software. Ledger says this bug has been solved in the device’s next firmware version and that the bug doesn’t allow anything other than a JTAG debug interface. The researchers were unable to access cryptocurrency funds.
Lastly, for the Ledger Blue wallet, the researchers measured radio emanations when a PIN was entered, this tactic could lead to an attacker calculating a user’s PIN. Ledger says the posed attack is “interesting” but in real conditions would mean a device has to remain in the same position as when a “dictionary” of emanations was recorded so is again, unlikely.