Honestly the biggest risk to owning a ledger is someone holding a gun to your head demanding your pin... Nobody being is going to go to the lengths required to pull off this "exploit" and anyone who tries would need serious resources and skills.
"Fuck, he's got a ledger nano s! What do we do? The plan wasn't supposed to go this way..."
"Uh... check his sock drawer for the keys"
"Half of it is in here!"
"okay now take this hammer and beat his kneecaps in until he tells you where the other half is."
I own multiple ledger nano's, but I rarely use them for even a tenth of my coins. If someone's gonna rob me, I prefer they do it digitally, and leave my kneecaps in tact. There are better solutions.
> Honestly the biggest risk to owning a ledger is someone holding a gun to your head demanding your pin
That is not even a risk because you can configure the ledger to show an alternate wallet with spare balance by entering a different pin
Abell68Crypto God | QC: ETH 75, BTC 31, LTC 152 months ago
I suppose, but I don't think normal people have the best skills to evade interrogation tactics. Best policy if you were using a ledger would be;
Account 1 with X, Account 2 with X+Y, Account 3 **on paper with Z**.
I believe the psychology of it being in your hand would allow you to bend more easily than a paper wallet off site that for all intents and purposes doesn't exist would be the better policy. Or of course, committing a word-phrase to memory.
tranceology3Crypto God | QC: Tronix 120, CC 66, BTC 412 months ago
Even so, a couple of extra precautions (that we should all follow) will put your mind at rest:
Use a clean computer for your crypto trading - and only use this machine for buying and moving crypto. Don't use the same machine you use for general Internet browsing, games, etc.
When you get a Ledger Nano, the first thing to do is update the firmware. The only proven vulnerabilities require the thief to have access to the device before you use it. Updating or checking that the firmware is correct will render most hardware attacks useless.
Setup the wallet but only put a small amount of money in it. Check for a few days to see if anything looks wrong.
If you had a clean computer you don't need a hardware wallet. The whole point is that you expect your computer is to be compromised.
tranceology3Crypto God | QC: Tronix 120, CC 66, BTC 412 months ago
Right! Its like saying: Make sure to where a bulletproof vest and not go into combat if you don't want to get shot. The whole point to a bullet proof vest is to protect when you go into combat cause you might get shot.
So basically the same as McAfee's wallet, where they also didn't gain access to the seeds and funds, right? I get the hate for McAfee and I love Ledger too, but this is a pretty clear double standard. Just look at the different way these to very comparable situations are covered here.
Wasnt the mcafee wallet exposed for poor security by several researchers?
> get the hate for McAfee and I love Ledger
In security you need to have a strong foundation for the product you are building. If it is actually secure, there wont be any hate because all of crypto security speak the same language and look for the same loop holes when testing.
Its simple as that.
>Wasnt the mcafee wallet exposed for poor security by several researchers?
From what I've seen pretty much the same type of hacks the ledger is currently getting. And in neither case were the private keys or funds ever compromised. But for the McAfee wallet, that pretty much meant it's end. (I guess. havn't been following it)
And the hate had little to do with the actual wallet but mainly because it was promoted by McAfee, who is a controversial figure.
It started because the mcafee wallet company used a dick move asking people to steal funds from the wallet. Its like asking someone to guess/crack the seed. Its not even a real hack test.
There are hundreds of other ways a wallet can be hacked (like replacing the firmware with malicous code that changes addresses). However the macafee company denied these were real issues. And then when hackers started digging into the wallet they threatened people with patents lol
Also the wallet company themselves had dicks running its social media account (probably the CEO himself)
>It started because the mcafee wallet company used a dick move asking people to steal funds from the wallet. Its like asking someone to guess/crack the seed. Its not even a real hack test.
Isn't that pretty much the same as offering rewards for bughunting? I can agree that the way he does things can be quite ... uhm ... over the top :D
As for the rest, fair enough. That's pretty much what I'm saying though. Aside from the guys behind it, it's pretty much the same situation. Both wallets havn't really been compromised the way most people would fear.
bughunting is different. If you want someone to hunt for bugs, you open up the entire system.
A hacker can hack your computer in any number of ways.
These guys asked the hackers to steal one file that is stored inside the system
But a hacker can do damage in other ways, and possibly worse damage than steal a file.
Basically what this wallet company asked to do wasnt even bughunting, it was a limited gimmick to claim "unhackable" which was immediately called out as bullshit
In a h/w wallet there are many types of attacks.
1. Steal funds from one wallet (limited attack) vs
2. Compromise the entire wallet so that any new funds entering the wallet would be stolen (wide attack)
When the second attack were demonstrated this company said this isnt the "bounty" terms and refused to pay. People lost their minds lol
Wtf is wrong with this community. Back in 2010 we would applaud people trying to break Bitcoin and hardware wallets because it would make them more secure. Now that they where all banned it’s just full of losers like you who would rather bug go undisclosed so you don’t lose more of your $50 “investment”. Fuck this place and fuck the admin team for letting it get like this.
SuperNewkCrypto God | QC: CC 65, XLM 642 months ago
Lmao screwed Bitcoin over? There wouldn’t be no Bitcoin without us. Your statement shows everything wrong with the current Bitcoin community.
>So we can get rich.
That’s all you care about. Keep trolling devs that find security flaws in Bitcoin and let the bugs live on to keep the coin price up in short run. Let’s see how that strategy work in the long run for you.
That's not how you "disclose" bugs, that's just a show for interwebz points
edit: here, have a read https://en.m.wikipedia.org/wiki/Responsible_disclosure
btc_cluelessCrypto God | QC: CC 241, NANO 53, LW 252 months ago
The team [did disclose to Ledger](https://twitter.com/walletfail/status/1078784796506144769) (but not Trezor) but Ledger ignored it and now says "well, they didn't use out official bug bounty program", which seems like a cheap excuse to me...
It's laughable, after selling so many units, if there was a severe hardware exploit, it would of been exploited in the wild by now.
btc_cluelessCrypto God | QC: CC 241, NANO 53, LW 252 months ago
The hardware exploits they showed do work. There's little doubt about that. The question is how relevant are they, since all the exploits need physical access to the hardware wallet which is rarely the case. It might be a viable exploit for either government agencies or sophisticated hackers with a very specific high-profile target
>It might be a viable exploit for either government agencies or sophisticated hackers with a very specific high-profile target
Who in all likelihood, if they were that desperate, just beat it out of the victim.
I ordered my ledger a year ago during December. about a month ago I made five different seed phrases and copied all the addresses in a file and since Im just DCA buying and hodling for 5 years plus Im not even going to plug in my ledger just send coins to my wallet addresses. I guess this is a solution of some degree, no??
> the attacker modifies the device as explained, puts a malware on the victim’s PC which will trigger a transaction and waits for the victim to enter his PIN and launch the Bitcoin app. At this very moment the malware on the PC triggers the transaction. The attacker, who is in a side room, will push the confirmation button with his remote control.
Another question: if the goal is to fake a "YES" after the PIN is entered and after the Bitcoin app is launched, why go with all the antenna trouble to simulate a "YES" press: why not simply make the implant simulate a yes after it detects that the two buttons were clicked after the Nano S started? (wait for power on the implant (meaning the Nano S just got connected), user enters PIN (which doesn't require to press two buttons as far I remember), user enters the Bitcoin app (which requires pressing two buttons IIRC) and then apparently the malware on the PC triggers the transaction: have the implant simply delay the simulation the "YES" click after the user clicked on both buttons by a tiny amount of time, just enough for the malware apps to have the time to send the transaction for signing to the Nano S?
Wouldn't that also work and not require "sitting in a room next door with an antenna" ?
I realize it was a late and I miscounted the number of "double clicks" (both left and right buttons) but the implant could still work without and antenna. Set the implant between attacking 4, 6 and 8 digits PIN long then:
\- wait for the first double click (one digit of the PIN has been entered)
\- wait for the 2nd double click (two digits of the PIN have been entered)
\- repeat until either 4 digits, 6 digits or 8 digits have been entered (the implant can randomly pick these or just cycle through)
\- wait for double click (this means Bitcoin app probably has been opened)
\- send the tx to be signed to the Ledger (from the malwared app on the PC)
\- simulate the click on yes right after the Bitcoin app has been opened
If it's possible to install a malicious firmware, why can't that malicious firmware behave like the real firmware except that it makes a note of the pin when it's entered?
Then later on, I steal the ledger, enter my secret code and have it tell me the pin. Then I restore the genuine firmware, and use that stolen pin to make a real transaction?
In fact, I suspect it wouldn't be too hard to install a parasite MCU that sits on the screen control gpio pins and just screenshots at appropriate times. If that MCU were ble enabled I could have it broadcast those screenshots to my phone.
In essence then: physical access to your ledger at any time means it's not secure. Personally I'd live with that. But I'd rather these possibilities were broadcast.
It's not really possible to prevent someone from modifying the device - basically you're left with two options : either you use some potting / anti tampering shield then users can't verify by themselves that the device hasn't been modified and have to trust you and the reliability of the anti tampering system, or you create a device that's easy to validate if necessary but then some people will complain that it's easy to open and modify. We picked the latter nonetheless as it provides more guarantees for expert users (see https://support.ledger.com/hc/en-us/articles/115005321449-Check-hardware-integrity)
As I said... I understand.
I can't say I care for these silly "we've cracked ledger" reports. I do think a bit more publicity about how exactly a ledger is weak would be a good idea though.
I don't think saying "you should make sure you buy from a reputable source because tampering is a weakness" does a disservice. It does seem like the possibility gets glossed over though.. which is a disservice.
> I do think a bit more publicity about how exactly a ledger is weak would be a good idea though.
It's useless though. I mean "using a device that is not a ledger but looks like one won't protect you" is a truism for anything. If you completely change the insides, you have a different device with a ledger skin. This is not a vulnerability.
That said, it's been said all over and everywhere to make sure to only buy hardware wallets from trusted vendors.
I think one way to make such (already difficult to pull off) attacks way way way more difficult would be for Ledger to require, for sizeable transactions (or when too many small transactions are made in an hour / day / whatever), for the destination address(es) to be whitelisted on all Ledger's nodes / DB.
And to then make the process to whitelist an address much more complicated than a simple "confirm new address ?". For whitelisting addresses some exchanges go to quite some length: enter the address, enter the currency (so that you don't say send BCH and BSV at the same time), confirm 2FA (say appearing on your phone), send an email, confirm the whitelisting, confirm on the user's computer with a "YES / NO" the question "Are you sure you want to whitelist this address?", even in some case optionally confirming you actually own or know the person who owns the whitelisted address (you must send 1938 satoshis to this address to confirm you or someone you know is in control of the address you're in the process of whitelisting), etc.
I'm sure that Ledger could come up with something better, involving user intervention on the hardware wallet too, like a message on the Nano : "Do you confirm whitelisting of address XXX for currency YYY?" (but that'd be just one part of the process: 2FA required too, email required too, etc.).
Now the attacker, to steal any sizeable funds of my hardware wallet, would need to hack: the Nano S, the PC, the browser (to fake basically everything that is displayed, including the emails which is also required for whitelisting, the display of the Nano, the browser and what appears in the https:// site controlled by Ledger etc.).
From a user's perspective this would change next to nothing as small tx wouldn't require whitelisting.
But the attacker suddenly faces something much more complicated than his already far-fetched implant + malwared crypto app. He now needs a way to do an implant on the Nano that can change the display of the address to be whitelisted (that's something else than simulating remotely a click) and a malware crypto app and a malware to modify the browser (to modify both the infos displayed by the Ledger "whitelisting webapp" and to modify the email the user receives.
I know it's a lot of work and not 100% foolproof but whitelisting for big transaction does really raises the bar a lot. The exchanges which are using whitelisting are using it for a reason.
> I think one way to make such (already difficult to pull off) attacks way way way more difficult would be for Ledger to require, for sizeable transactions (or when too many small transactions are made in an hour / day / whatever), for the destination address(es) to be whitelisted on all Ledger's nodes / DB.
You can use your device without using any of Ledger's nodes or desktop software (for example, with Electrum), so this isn't really feasible. The Ledger company is not in a position to control your transactions. (which is a good thing!)
Ah you're right of course and I should know better for I recently connected using Electron Cash to the BSV nodes (to cleanly split the BCH and BSV I had), bypassing the Ledger app.
So an attacker who broke into your home and physically implanted the Nano S and who physically attacked the PC too could make that tx relayed by another node: that's totally right.
Re- the Ledger company not in a position to control your transactions: they never really were anyway as the seed is a standard support by many wallets but yeah I get your point: you can still get the safety of the Nano S while hooking up to another app (like Electron cash).
Thanks for the explanation.
Yes, and you're likely fine even if they did get their hands on both it and your computer. From what I understand, in order to actually execute an attack, they would have to modify the device, compromise your PC, and then wait for you to unlock the hacked Ledger and open a crypto wallet app on it. They would have to be able to see this happening in real-time and be close enough to you in order to trigger the remote hack that would falsify a confirmation button press on your hacked Ledger.
I would say the chances of that actually happening are sufficiently close to zero that it's not worth worrying about.
Thanks, I guess to be sure you get a device that hasn't been tampered with you should only buy from the official website. I've seen some nasty stuff on Amazon, if you look at the images reviewers post...
It's not that uncommon to find a new one that has a fingerprint or a mark on it. Keep in mind these are packaged by actual people.
The known attack vector has been pre created seeds that come on some type of paper or scratch-off official-looking sheet. New people would assume that this is official and use it as is. Even those wallets would probably be just fine if the user would have created their own seed. I say probably because I have not heard of but also am not sure of anyone tampering with the physical device in order to make it transmit
Yeah, I would definitely only purchase a Ledger direct or from an authorized dealer (if there are any). The most common scenario I've heard of with third-party sellers is that they have pre-loaded a private key that they control onto the device and wait for you to send crypto to it before transferring it to themselves at another address. That doesn't require any hacking at all, just circumventing the way a Ledger should be set up (with a new key generated by the end-consumer). It's also possible that there are completely fake Ledger devices out there. I don't bother looking for them :)
Because the checks around the validation are tricky to come around. Not saying it's impossible but it wasn't demonstrated during the talk. There was some discussion about running code in RAM but no details about how said code would be injected
My understanding was that they proposed flashing a modified firmware (RLE compressed) which would run a depacking routine in RAM, flash the unpacked firmware, call the original verification routine which would then pass the SE check (since it's fully original) and after that they're still in control of execution from RAM. That is, the "injection" of the code is through the firmware flash exploit found through the shadow address.
They described having (with such a naïve first implementation) 254 bytes IIRC to use for this, which is plenty, although not enough for the obvious hack where the first time the user uses their Ledger to sign a transaction the funds would be sent to another address instead.
There are examples of this on other devices. They are called boot kits. For illustrative purposes only, I would refer you to http://williamshowalter.com/a-universal-windows-bootkit/ to get a understanding of the complexity of the problem.
The skill level necessary to develop something like this would normally be very high due to the space available and verification steps on the ledger. While I would not classify the decompression and bootkit code as a vulnerability, if the authors release it then the difficulty in developing a functioning bootkit for the ledger would be significantly reduced. Combined with the attention this is generating, I would not be surprised to see private malware coupled with a derived bootkit developed and used against limited targets.