from the And-I-would-have-gotten-away-with-it-too,-if-it-weren't-for-you-meddling-kids^H dept.
For years, executives at France-based Ledger have boasted their specialized hardware for storing cryptocurrencies is so securely designed that resellers or others in the supply chain can't tamper with the devices without it being painfully obvious to end users. The reason: "cryptographic attestation" that uses unforgeable digital signatures to ensure that only authorized code runs on the hardware wallet.
"There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key," officials said in 2015. Earlier this year, Ledger's CTO said attestation was so foolproof that it was safe to buy his company's devices on eBay.
On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog, Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions. The stealth backdoor Rashid developed is a minuscule 300-bytes long and causes the device to generate pre-determined wallet addresses and recovery passwords known to the attacker. The attacker could then enter those passwords into a new Ledger hardware wallet to recover the private keys the old backdoored device stores for those addresses.
Oops. To be fair, he's a very clever 15 year old.
(Score: 2) by pkrasimirov on Friday March 23 2018, @12:14PM (4 children)
Best part is he cannot get sued because he's minor.
(Score: 3, Informative) by All Your Lawn Are Belong To Us on Friday March 23 2018, @12:30PM
No. You can name anyone as a party to a lawsuit, and a minor can commit a tort. The leading theory is you name the minor and you name the parents (for negligent supervision to allow the minor to _________).
Minors generally cannot enter into contracts.
This sig for rent.
(Score: 2) by PiMuNu on Friday March 23 2018, @12:49PM (2 children)
What has he done that he can be sued for?
(Score: 2) by c0lo on Friday March 23 2018, @01:16PM
Breach of DMCA - it's an universal law, like the law of gravitation, didntcha know?
(grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by All Your Lawn Are Belong To Us on Friday March 23 2018, @05:51PM
I'm not saying he's done anything unlawful. I'm only debunking the notion that a minor cannot be sued.
This sig for rent.
(Score: 2) by All Your Lawn Are Belong To Us on Friday March 23 2018, @12:27PM (4 children)
If you let someone get at the firmware of the device you can make it do quite a bit. It's not that this isn't legitimate, only that any device that hasn't adequately secured its firmware is likely vulnerable to something similar. (And only slightly more variable.... if you can do the firmware can you replicate the functions of the device accurately enough to fool the user into thinking it's legitimately working when it is working for you?)
The author of the attack will go far in life, technically. I wonder about their quality of life, but hopefully it will be a happy one.
This sig for rent.
(Score: 2, Interesting) by Anonymous Coward on Friday March 23 2018, @12:43PM (2 children)
Indeed.
Considering the Muslim nature of his name, those chappies in Cheltenham will, no doubt, be paying especial attention to his career..and no doubt some plod somewhere is currently poring over the various computer misuse laws here in the UK looking for a stick to beat him with...mind you, as he's making a French company look a bit silly, they're probably feeling very conflicted.
(Score: 2) by tangomargarine on Friday March 23 2018, @04:34PM (1 child)
Just as long as he doesn't start building clocks.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Friday March 23 2018, @06:47PM
or wear a Casio F-91W [wikipedia.org]..
or have too many safety matches, [independent.co.uk]a pressure cooker and fairy lights at home..
(Score: 5, Insightful) by Arik on Friday March 23 2018, @01:33PM
Well one thing that seems rather important which you don't mention is that this is a device that is *specifically* marketed as being designed and built so that physical security isn't necessary. The company makes a big deal out of the claim, so it's not like he's demonstrating this sort of attack against a typical consumer device that's not supposed to be able to withstand it.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by FakeBeldin on Friday March 23 2018, @01:23PM (4 children)
I've seen the claim that he is 15. I poked around a bit, but couldn't find confirmation.
I'll readily admit that I haven't looked that well into it, but still: writing style and level of explanation of the blog post do not suggest 15 years old to me.
Has anyone seen some sort of origins for the claim this chap is 15?
(Score: 1, Touché) by Anonymous Coward on Friday March 23 2018, @01:35PM
Based on your writing style, I believe you are 15. I've seen nothing else to believe otherwise.
(Score: 0) by Anonymous Coward on Friday March 23 2018, @03:30PM (2 children)
He's in England. People over there acquire greater proficiency in English at earlier ages than we do across the ocean.
(Score: 3, Interesting) by FakeBeldin on Friday March 23 2018, @04:00PM (1 child)
Well, what I meant is that the whole reasoning is elegantly stated. That's what I typically find should be improved in works by students (who would be 18 to 25). So the idea that someone quite a bit younger than that is able to tackle technical issues and explain them lucidly is not something I'd accept at face value. I'd like at least some idea of where the claim comes from.
It's not on his blog or anywhere else. He's been on GitHub since 2015, i.e. when he was 12 or 13. While some projects fit well with a 12-year-old (e.g. HTML5 snake), others are somewhat advanced (extending a bootloader for embedded boards). See e.g. this commit [github.com]. That's not the kind of commit to an existing project that screams "13 year old coding here" to me. Rather something different.
I saw the claim in the media that this person would be 15. I do not know where they base this on.
It may be true. I've looked, but haven't found details. I have found accomplishments that would seem to be well beyond the level of a 15 year old (or 12 year old, for that matter).
So let's take the claim that his person is 15 with a grain of salt - at least until someone explains where it's coming from.
(Score: 2, Interesting) by Anonymous Coward on Friday March 23 2018, @07:45PM
Best programmer I've ever met? A guy in London back in the late '90s who was aged 14 at the time, he'd been programming assembly and C/C++ from about the age of 5 (ISTR his father was an engineer, so he grew up surrounded by computers and electronics) and was doing contract work from the age of 12. It's humbling to watch someone that age knock out in 15 minutes an elegant bit of C code which did the job more efficiently than the stuff we'd been using up to that point. A true wunderkind, with absolutely no perjorative meaning implied in the use of that word here.
(Score: 2) by tangomargarine on Friday March 23 2018, @04:30PM (1 child)
Okay, being in firmware makes it harder to hack. Assuming the device can't flash its own firmware like the PCs sold these days. Or they have it super locked-down like TPM chips. Still, calling it "foolproof" is pretty much daring Eris to come at you.
D'oh! Guess they didn't manage to knock on wood fast enough.
AHAHAHAHAHHHAHAHAHAHHAHAA
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1, Interesting) by Anonymous Coward on Friday March 23 2018, @09:27PM
Reminds me of a company that was advertising identity theft protection by confidently plastering their CEO's SSN on all their ads, and then, predictably, said CEO had his identity stolen multiple times. [techdirt.com]