Ledger and Trezor take a position to Hack your Hardware Wallets
Home News Ledger and Trezor take a position to Hack your Hardware Wallets
Marcus Misiak –
Three researchers from the wallet.fail have on the 35. Chaos Communication Congress (35C3) has shown how weaknesses in the Hardware Wallets: Trezor and Ledger have been exploited to hack this. Both Ledger as well as Trezor have now responded and explained that the crypto-credits are monetary secure, and the devices can continue to be used.
Hardware Wallets are the safest method to crypto to keep currencies. As a researcher in the 35C3 now have shown, however, are also vulnerable. Like any other piece of technology you have to make your own weak. The 3 hack of wallet.fail shown how to hack the Trezor One, the Ledger Nano S and the Ledger Blue Wallets. This was shown during a Hacking event called ‘ 35C3 Refreshing Memories. The Team Wallet.fail called, consisted of three persons: Dmity Nedospasov (security researcher and Hardware Designer), Josh Datko (security researcher) and Thomas Roth (Software developer).
Basically, the hackers were able to extract the private keys of the devices after using a custom Firmware. They pointed out that the Hack can be used only if the user has set a Passphrase, so that people who are really careful are not affected by the Problem.
The response of the Ledger
The currently probably the most popular Hardware Wallet, the Ledger Nano S was first hacked by the group. As the researchers showed they could install Retro Snake game on the device, and even transactions to confirm. In a Blog Post Ledger has done everything to reassure the users of the Nano S. They stated that the Hacks the security of the device completely out of the question:
They presented 3 attack paths, which could give the impression that critical vulnerabilities on Ledger-devices were detected. This is not the case.
Although the researchers said that they love all of the “crypto-currency” and even cryptocurrency owners, it seems that Ledger to be a little disappointed:
In the security world, the responsibility for full disclosure of the data is the usual procedure…. We regret that the researchers have not followed the standard security principles of Ledger’s Bounty program.
Ledger also believes that the three researchers have found no “practical vulnerabilities”. First, the researchers carried out an attack in which they used the physical Wallets that have been modified and Malware on the PC of the owner in combination with a potential attacker in a nearby room, use the chopped PIN remote and the crypto-currency application had to start. Ledger says of this kind of attack:
It would be quite impractical, and a motivated Hacker would definitely apply more efficient Tricks. […] They tried to attack the Supply Chain by circumventing the MCU Check, but it did not succeed. The MCU manages the screen, but has no access to the PIN, or the Seed, is stored on the Secure Element.
Ledger also said that it will fix the bug in next Firmware Version of the device.
Trezor firmware update planned
The CTO of SatoshiLabs, Pavol Rusnak, complained also about the fact that the Trio didn’t inform the company prior to the conference. SatoshiLabs is for the Trezor Wallet, and for the end of January, a Firmware Update is promised that will fix all the weak points of the system. Trezor acknowledges the vulnerability and said that it is a physical weakness that was identified:
An attacker requires physical access to your device, and in particular the Board, which destroys the housing. If you have physical control over your Trezor, you can use him, and this vulnerability is not a threat to you.
Trezor has also said that a concerned user can activate the “Passphrase” function in your Trezor Hardware Wallets, but that every loss of the Passphrase of a user leads to “money loss”.