RESEARCHER FINDS ANOTHER SECURITY GAP IN LEDGER NANO S
Ledger responds with a firmware update
An independent security researcher, Saleem Rashid, who is 15 years old, by the way, found a previously unknown way to attack Ledger Nano S wallets.
“The vulnerability arose due to Ledger’s use of a custom architecture /…/” Rashid writes in his blog post. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.”
In case of a Ledger Nano S running firmware 1.3.1 or below, one of the ways attackers can break into your wallet is physical access before setup of the seed. Rashid explains it as “supply chain attack /…/. It does not require malware on the target computer, nor does it require the user to confirm any transactions.”
Rashid reckons that non-technical users cannot easily confirm that their device hasn’t been tampered with. In fact, Ledger wallets do not come with tamper-proof packaging because the devices themselves are designed to keep out any attacker.
Ledger confirmed the issue but emphasized that the issue “is an industry wide issue.”
“All hardware wallets are affected,” a Ledger spokesperson said. “This is not a vulnerability of the device, but a reminder about the fact you cannot trust what you see on the screen of your computer.”
Since the reported security problem Ledger has released a firmware update (1.4.1) that remediates this vulnerability of the Nano S.
Rashid himself underlines the importance of updating in his article: “As one of the security researchers, I urge to update now. My article doesn't make it clear enough how dangerous this issue can be.”
The firmware came out 2 weeks ago but we believe there are lots of users out there who have still not updated their Ledger Nano S firmware. If you are one of them we recommend visiting Ledger’s website for the update: