The extra verification step – take it seriously.

Did you hear the recent rumour about the alleged security threat concerning Ledger hardware wallets? We found out about the details.

Charles GUILLEMET – Chief Security Officer at Ledger published a security blog post on ledger.fr. What made it necessary was that bitcoin.com published an article on 3rd February, 2018, titled “Ledger Addresses Man in the Middle Attack That Threatens Millions of Hardware Wallets”. Guillemet felt it important to respond, emphasizing that, unfortunately, some of the claims made in bitcoin.com’s article are incorrect.

Guillemet writes:

“This is not a Ledger security flaw. Ledger users are not at risk, as long as they verify their new receive address on their device when they share it to receive fund. As far as we know, no user has ever lost any coins because of what remains a proof of concept.”

Ledger hardware wallets were originally designed because computer security cannot be guaranteed. A malware or virus might attack the computer and replace the receiving address with another one. As a result, the user will end up sending funds to a third-party (possibly the attacker) instead of the intended recipient.

Researchers have recently proved that it was possible to use a malware and modify the Ledger Chrome application in a way that the address displayed on the computer screen would be fake.

“No Ledger user has ever been fooled using this technique. We were already aware of this scenario: computers cannot be considered secure, and therefore you cannot trust what you see on the screen. That’s the very reason why we decided to create the Ledger hardware wallet in the first place.”

“The only thing users can completely trust is what is displayed on the screen of their Ledger hardware wallet. The Ledger Wallet Bitcoin Chrome application also has a dedicated icon (third one from the left hand side, see image above) allowing the user to display the receiving address on their Ledger device.”

So, even in a scenario when the user’s computer has been compromised and the address on the computer’s display cannot be trusted any more, when the user clicks on the icon marked on the image above, the wallet generates the correct address and it is displayed on the Ledger hardware wallet’s screen, that is, on your hand device’s mini screen. That’s the information that you can trust.

“At Ledger, we strive to provide our users with an easy and secure way to manage their crypto assets. In order to avoid any misuse, we will keep providing our community with additional services and information.” – Guillemet concludes.


Source: https://www.ledger.fr/2018/02/05/man-middle-attack-risk/

Zsolt Balló