Stories
Slash Boxes
Comments

SoylentNews is people

A "Tamper-Proof" Currency Wallet Just Got Backdoored by a 15-Year-Old

posted by martyb on Friday March 23 2018, @11:48AM   Printer-friendly
from the And-I-would-have-gotten-away-with-it-too,-if-it-weren't-for-you-meddling-kids^H dept.

Fnord666 writes:

Never say can't.

For years, executives at France-based Ledger have boasted their specialized hardware for storing cryptocurrencies is so securely designed that resellers or others in the supply chain can't tamper with the devices without it being painfully obvious to end users. The reason: "cryptographic attestation" that uses unforgeable digital signatures to ensure that only authorized code runs on the hardware wallet.

"There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key," officials said in 2015. Earlier this year, Ledger's CTO said attestation was so foolproof that it was safe to buy his company's devices on eBay.

On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog, Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions. The stealth backdoor Rashid developed is a minuscule 300-bytes long and causes the device to generate pre-determined wallet addresses and recovery passwords known to the attacker. The attacker could then enter those passwords into a new Ledger hardware wallet to recover the private keys the old backdoored device stores for those addresses.

Oops. To be fair, he's a very clever 15 year old.

Original Submission

 
This discussion has been archived. No new comments can be posted.
A "Tamper-Proof" Currency Wallet Just Got Backdoored by a 15-Year-Old | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by pkrasimirov on Friday March 23 2018, @12:14PM (4 children)

    by pkrasimirov (3358) Subscriber Badge on Friday March 23 2018, @12:14PM (#657093)

    Best part is he cannot get sued because he's minor.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Informative) by All Your Lawn Are Belong To Us on Friday March 23 2018, @12:30PM

    by All Your Lawn Are Belong To Us (6553) on Friday March 23 2018, @12:30PM (#657096) Journal

    No. You can name anyone as a party to a lawsuit, and a minor can commit a tort. The leading theory is you name the minor and you name the parents (for negligent supervision to allow the minor to _________).

    Minors generally cannot enter into contracts.

    --
    This sig for rent.

  • (Score: 2) by PiMuNu on Friday March 23 2018, @12:49PM (2 children)

    by PiMuNu (3823) on Friday March 23 2018, @12:49PM (#657100)

    What has he done that he can be sued for?

    • (Score: 2) by c0lo on Friday March 23 2018, @01:16PM

      by c0lo (156) Subscriber Badge on Friday March 23 2018, @01:16PM (#657105) Journal

      Breach of DMCA - it's an universal law, like the law of gravitation, didntcha know?

      (grin)

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

    • (Score: 2) by All Your Lawn Are Belong To Us on Friday March 23 2018, @05:51PM

      by All Your Lawn Are Belong To Us (6553) on Friday March 23 2018, @05:51PM (#657190) Journal

      I'm not saying he's done anything unlawful. I'm only debunking the notion that a minor cannot be sued.

      --
      This sig for rent.