Κενό ασφαλείας στα ledger hardware wallet

Κενό ασφαλείας αποκαλύφθηκε στα δημοφιλή ledger nano s hardware wallet που υπό συνθήκες και με τον συνδυασμό ενός εγκατεστημένου malware μπορούν να αποκαλυφθούν σε τρίτους τα private seed key του Bitcoin wallet.

Ήδη έχει γίνει διαθέσιμο το security fix μέσω ενός firmware upgrade που διορθώνει το συγκεκριμένο πρόβλημα με την ledger να προτρέπει σε όλους να αναβαθμίσουν.

In order to take advantage of the new features and latest security improvements brought by the Ledger firmware 1.4, we strongly recommend our users to update their Nano S.  Note that this update could take up to 15mn.

Due to the update, our servers are under a very heavy load. This results in difficulties to update the device. We recommend to wait a few hours or days before proceeding to the update. Not funds are at risk, and you can’t brick your Nano S, but you may have to try a few times before succeeding (if you are in immediate need of your funds, it’s better to delay the update)

Η διαδικασία της αναβάθμισης περιγράφετε στο σχετικό για το θέμα blog post της ledger ενώ θα πρέπει να ακολουθηθεί πιστά για να είναι πετυχημένη η αναβάθμιση.

O CEO πάντως της ledger με μήνυμα του στο reddit είναι καθησυχαστικός κατά πόσο critical είναι αυτό το flaw ενώ δηλώνει ότι είναι σχετικά δύσκολο για να αναπαραχθεί σε πραγματικές συνθήκες .

EDIT: we have decided to share more information, even though we wished we wouldn’t have to (to not reveal anything useful to black hat attackers). The vulnerability reported by Saleem requires physical access to the device BEFORE setup of the seed, installing a custom version of the MCU firmware, installing a malware on the target’s computer and have him confirm a very specific transaction. While possible, this proof of concept ranks by no mean as a critical severity level and has never been demonstrated. Saleem got visibly upset when we didn’t communicate as “critical security update” and decided to share his opinion on the subject. This generated a lot of panic with threads such as this one, and I do not believe it was to the benefit of anyone. A complete blogpost (which was already scheduled to be published according to our reponsible disclosure program) will be available in time.