During a popular hacker conference in Europe, three researchers presented their findings on breaking into cold storage hardware wallets with what appeared to be relative ease. The demonstrations focused on Ledger and Trezor offerings, hacking basic security measures such as stickers, all the way to physical modifications. Both companies have now responded to the break-ins.
Ledger, Trezor Respond to Hacking Demos Claiming to Potentially Compromise User Funds
CoinSpice brought first news of how researchers at a famed conference successfully hacked popular hardware cryptocurrency wallets. It was a compelling presentation, each speaker incredibly detailed.
And while hackers are known for their innate curiosity along with the need to share findings, companies like Trezor have a business to run. An unwritten rule of security vulnerabilities is giving the impacted party a chance to address the issue(s) prior to going public.
Satoshi Labs, maker of Trezor, CTO Pavol Rusnak, explained, “With regards to #35c3 findings about @Trezor: we were not informed via our Responsible Disclosure program beforehand, so we learned about them from the stage. We need to take some time to fix these and we’ll be addressing them via a firmware update at the end of January.”
Still Got Your Crypto
Trezor itself doubled-down on the concern, “Regarding the presentation at #35c3, we were not informed ahead of time about the details of the disclosure. We are working with the info as it arrives. We will address the vulnerability in due time—as soon as possible.”
The company pleaded, “Please keep in mind that this is a physical vuln. An attacker would need physical access to your device, specifically to the board—breaking the case. If you have physical control over your Trezor, you can keep on using it, and this vulnerability is not a threat to you. Alternatively, you can enable the passphrase feature, intended for additional protection against physical attacks. However, this is an advanced option and you should know how it works before opting for it. Loss of passphrase will lead to loss of funds.
The other hardware wallet spotlighted was Ledger. It took to a full blog post, titled, “Still Got Your Crypto: In Response to wallet.fail’s Presentation.” When researchers turned their hacks to the Ledger wallet, “they presented 3 attack paths which could give the impression that critical vulnerabilities were uncovered on Ledger devices. This is not the case,” the post emphasized.
Don’t Worry, Your Crypto Assets are Still Secure on Your Ledger Device
“In particular,” Ledger continued, “they did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure.” The company then suggested they are “more than happy to see people trying to challenge the security of our products. This is the way to improve security.”
Similar to Trezor, they hit upon responsible disclosure, and pointed out they have an industry standard bug bounty. “We regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program. We equally feel that the findings did not provide practical vulnerabilities,” they insisted.
Ledger then went on to show the many ways in which the device is safe, and how the attacks presented are impractical at best, especially in a bear market. They characterized physical hacks as proving “quite unpractical, and a motivated hacker would definitely use more efficient tricks (such as installing a camera to spy on the PIN entry).” Furthermore what researchers believed to be a flaw, the ease at which Ledger can be opened, is actually a feature, according to the company, allowing for just such checks against tampering.
Ledger Nano S Bootloader
“Ledger values all attempts to compromise our hardware wallets,” they concluded. “We strongly believe that our Bounty program is the way towards continuous security improvements. We are, however, also convinced that responsible disclosure is the best practice to follow in order to protect the end users while improving our products’ security.”
In that spirit, LiveOverflow showed an attack on Ledger via video. “Here is my video which @walletfail announced in their talk about hacking hardware wallets!,” the blurb reads. “The video is about the magic value 0xf00dbabe in the Ledger Nano S bootloader. This will also kickoff a new series on doing embedded hardware research! It was found that the Ledger Nano S bootloader can be tricked into flashing and executing untrusted firmware.”
The video too is clear in pointing out how this is an advanced attack, and that really no one should be too worried. Nevertheless, LiveOverflow claimed, “The bootloader is used to update the firmware of the ‘non-secure’ processor in the Ledger Nano S and has full control over the display, USB and the buttons. Time might tell how critical this issue actually is, a strong proof-of-concept still requires a lot of work and maybe the guys from wallet.fail will publish more in the future. Or join the security research and play around with it yourself!”
CONTINUE THE SPICE and check out our piping hot YouTube channel. Our podcast, Milk, might help sooth that crypto burn. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.