In the case of the 15-year-old would-be hacker, the target was the Ledger Nano S, a hardware wallet designed by France-based Ledger, a company which liked to boast about the capabilities of their specialized hardware when it comes to storing cryptocurrencies. Through its marketing materials and press releases, the company stated numerous times that their reliance on "cryptographic attestation" allowed their devices to use digital signatures that were impossible to forge, thereby letting only authorized code to run on their products.
But the work of one U.K. teenager named Saleem Rashid has exposed it as nothing more than smoke and mirrors, as he posted the details of how their technology could be entered and used for nefarious purposes on his own personal blog. Rashid's proof-of-concept code allowed him to enter the company's $100 hardware wallet, called the Ledger Nano S, through a backdoor that gave him full access to it.
It is said that the backdoor code used by Rashid is only 300 bytes long, which isn't much in terms of programming code, and causes the hardware wallet to generate pre-determined wallet addresses and recovery passwords that are privy to the attacker. With the passwords, the attacker could then use a new Ledger hardware wallet to recover private keys that are also used in the backdoored devices.
What's worse, the same approach was shown to be effective for changing wallet destinations and payment amounts, so that any transactions like deposits go directly to an attacker's account. Interestingly, the method used to break into the $100 hardware wallet also worked on the more expensive Ledger Blue, which costs $200 and is supposed to be a better hardware wallet.
According to Matt Green, a professor at Johns Hopkins University that specializes in encryption security, Ledger's biggest problem is that the space that they're working in may not really be all that conducive to something that's supposed to be tamper-proof. "Ledger is trying to solve a fundamentally hard problem. They need to check the firmware running on a processor. But their secure chip can't actually see the code running on that processor," he explained. "So they have to ask the processor to supply its own code! Which is a catch-22, since that processor might not be running honest code, and so you can't trust what it gives you."
In other words, it's a bit like asking a person who might just be a criminal to give you their full criminal history – based on the honor system. It's simply not workable. (Related: Bitcoin wallet devices found to be surprisingly vulnerable to hacking.)
For its part, Ledger has openly addressed security concerns such as this one in the past, and will likely be issuing necessary software updates to try and minimize the impact of such vulnerabilities. Perhaps it will be up to those who still own cryptocurrencies to make sure that their hardware really works as advertised, instead of simply taking the word of companies like Ledger for it. And if not, to look for better alternatives.
Learn more about the dangers of crypto investments at Risk.news.
Sources include: