“Tamper-proof” cryptocurrency wallet just backdoored by a 15-year-old self-taught programmer
04/20/2018 // David Williams // Views

Cryptocurrency wallets were invented to allow those who owned cryptocurrencies, such as Bitcoin, to have an easy way to store and access them via hardware. For a long time, the makers of these devices marketed their products as tamper-proof and capable of keeping any and all of their contents safe. But as it turns out, they are so open to vulnerabilities that a 15-year-old self-taught programmer was able to put together a proof-of-concept that showed a number of ways in which they could be "attacked."

In the case of the 15-year-old would-be hacker, the target was the Ledger Nano S, a hardware wallet designed by France-based Ledger, a company which liked to boast about the capabilities of their specialized hardware when it comes to storing cryptocurrencies. Through its marketing materials and press releases, the company stated numerous times that their reliance on "cryptographic attestation" allowed their devices to use digital signatures that were impossible to forge, thereby letting only authorized code to run on their products.

But the work of one U.K. teenager named Saleem Rashid has exposed it as nothing more than smoke and mirrors, as he posted the details of how their technology could be entered and used for nefarious purposes on his own personal blog. Rashid's proof-of-concept code allowed him to enter the company's $100 hardware wallet, called the Ledger Nano S, through a backdoor that gave him full access to it.

It is said that the backdoor code used by Rashid is only 300 bytes long, which isn't much in terms of programming code, and causes the hardware wallet to generate pre-determined wallet addresses and recovery passwords that are privy to the attacker. With the passwords, the attacker could then use a new Ledger hardware wallet to recover private keys that are also used in the backdoored devices.

Brighteon.TV

What's worse, the same approach was shown to be effective for changing wallet destinations and payment amounts, so that any transactions like deposits go directly to an attacker's account. Interestingly, the method used to break into the $100 hardware wallet also worked on the more expensive Ledger Blue, which costs $200 and is supposed to be a better hardware wallet.

According to Matt Green, a professor at Johns Hopkins University that specializes in encryption security, Ledger's biggest problem is that the space that they're working in may not really be all that conducive to something that's supposed to be tamper-proof. "Ledger is trying to solve a fundamentally hard problem. They need to check the firmware running on a processor. But their secure chip can't actually see the code running on that processor," he explained. "So they have to ask the processor to supply its own code! Which is a catch-22, since that processor might not be running honest code, and so you can't trust what it gives you."

In other words, it's a bit like asking a person who might just be a criminal to give you their full criminal history – based on the honor system. It's simply not workable. (Related: Bitcoin wallet devices found to be surprisingly vulnerable to hacking.)

For its part, Ledger has openly addressed security concerns such as this one in the past, and will likely be issuing necessary software updates to try and minimize the impact of such vulnerabilities. Perhaps it will be up to those who still own cryptocurrencies to make sure that their hardware really works as advertised, instead of simply taking the word of companies like Ledger for it. And if not, to look for better alternatives.

Learn more about the dangers of crypto investments at Risk.news.

Sources include:

ArsTechnica.com

SaleemRashid.com



Take Action:
Support Natural News by linking to this article from your website.
Permalink to this article:
Copy
Embed article link:
Copy
Reprinting this article:
Non-commercial use is permitted with credit to NaturalNews.com (including a clickable link).
Please contact us for more information.
Free Email Alerts
Get independent news alerts on natural cures, food lab tests, cannabis medicine, science, robotics, drones, privacy and more.
App Store
Android App
eTrust Pro Certified

This site is part of the Natural News Network © 2022 All Rights Reserved. Privacy | Terms All content posted on this site is commentary or opinion and is protected under Free Speech. Truth Publishing International, LTD. is not responsible for content written by contributing authors. The information on this site is provided for educational and entertainment purposes only. It is not intended as a substitute for professional advice of any kind. Truth Publishing assumes no responsibility for the use or misuse of this material. Your use of this website indicates your agreement to these terms and those published here. All trademarks, registered trademarks and servicemarks mentioned on this site are the property of their respective owners.

This site uses cookies
Natural News uses cookies to improve your experience on our site. By using this site, you agree to our privacy policy.
Learn More
Close
Get 100% real, uncensored news delivered straight to your inbox
You can unsubscribe at any time. Your email privacy is completely protected.