Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday March 23 2018, @11:48AM   Printer-friendly
from the And-I-would-have-gotten-away-with-it-too,-if-it-weren't-for-you-meddling-kids^H dept.

Never say can't.

For years, executives at France-based Ledger have boasted their specialized hardware for storing cryptocurrencies is so securely designed that resellers or others in the supply chain can't tamper with the devices without it being painfully obvious to end users. The reason: "cryptographic attestation" that uses unforgeable digital signatures to ensure that only authorized code runs on the hardware wallet.

"There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key," officials said in 2015. Earlier this year, Ledger's CTO said attestation was so foolproof that it was safe to buy his company's devices on eBay.

On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog, Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions. The stealth backdoor Rashid developed is a minuscule 300-bytes long and causes the device to generate pre-determined wallet addresses and recovery passwords known to the attacker. The attacker could then enter those passwords into a new Ledger hardware wallet to recover the private keys the old backdoored device stores for those addresses.

Oops. To be fair, he's a very clever 15 year old.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by tangomargarine on Friday March 23 2018, @04:30PM (1 child)

    by tangomargarine (667) on Friday March 23 2018, @04:30PM (#657157)

    "There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key," officials said in 2015. Earlier this year, Ledger's CTO said attestation was so foolproof that it was safe to buy his company's devices on eBay.

    Okay, being in firmware makes it harder to hack. Assuming the device can't flash its own firmware like the PCs sold these days. Or they have it super locked-down like TPM chips. Still, calling it "foolproof" is pretty much daring Eris to come at you.

    On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog, Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions.

    D'oh! Guess they didn't manage to knock on wood fast enough.

    backdoor Rashid developed is a minuscule 300 bytes long

    AHAHAHAHAHHHAHAHAHAHHAHAA

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1, Interesting) by Anonymous Coward on Friday March 23 2018, @09:27PM

    by Anonymous Coward on Friday March 23 2018, @09:27PM (#657266)

    Reminds me of a company that was advertising identity theft protection by confidently plastering their CEO's SSN on all their ads, and then, predictably, said CEO had his identity stolen multiple times. [techdirt.com]

    Ah, Lifelock. The company, which was recently fined $12 million for bogus advertising and absolutely dreadful security practices (the private data that Lifelock claimed it was helping you protect was not encrypted and was available to more than just authorized employees). Of course, the most amusing thing of all was how the CEO of the company, Todd Davis, plastered his Social Security Number everywhere to show how "safe" he felt with the company's service. In the past, we had noted that this didn't actually stop him from from being a victim of identity fraud -- when someone used his well publicized SSN to get a $500 loan in his name. Oh, and then there was the story about how the CEO then personally went to the home of the guy who did this, and "coerced" a confession out of him. In doing so, it ruined the police investigation and tainted the case.

    Thankfully, it now turns out that there were twelve other opportunities to taint evidence. Yes, it's now come out that the CEO who proudly gave away his SSN because his own company would protect him has been a victim of identity fraud at least 13 times. And they say 13 is an unlucky number...