A 15-year-old security researcher has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies.
Hardware wallets like those sold by Ledger are designed to protect the user’s private keys from malicious software that might try to harvest those credentials from the user’s computer. The devices enable transactions via a connection to a USB port on the user’s computer, but they don’t reveal the private key to the PC.
Yet Saleem Rashid, a 15-year-old security researcher from the United Kingdom, discovered a way to acquire the private keys from Ledger devices. Rashid’s method requires an attacker to have physical access to the device, and normally such hacks would be unremarkable because they fall under the #1 rule of security — namely, if an attacker has physical access to your device, then it is not your device anymore.
The trouble is that consumer demand for Ledger’s products has frequently outpaced the company’s ability to produce them (it has sold over a million of its most popular Nano S models to date). This has prompted the company’s chief technology officer to state publicly that Ledger’s built-in security model is so robust that it is safe to purchase their products from a wide range of third-party sellers, including Amazon and eBay.
But Rashid discovered that a reseller of Ledger’s products could update the devices with malicious code that would lie in wait for a potential buyer to use it, and then siphon the private key and drain the user’s cryptocurrency account(s) when the user goes to use it.
The crux of the problem is that Ledger’s devices contain a secure processor chip and a non-secure microcontroller chip. The latter is used for a variety of non-security related purposes, from handling the USB connections to displaying text on the Ledger’s digital display, but the two chips still pass information between each other. Rashid found that an attacker could compromise the insecure processor (the microcontroller) on Ledger devices to run malicious code without being detected.
Ledger’s products do contain a mechanism for checking to ensure the code powering the devices has not been modified, but Rashid’s proof-of-concept code — being released today in tandem with an announcement from Ledger about a new firmware update designed to fix the bug — allows an attacker to force the device to sidestep those security checks.
“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rashid said in an interview with KrebsOnSecurity. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”
Kenneth White, director of the Open Crypto Audit Project, had an opportunity to review Rashid’s findings prior to their publication today. White said he was impressed with the elegance of the proof-of-concept attack code, which Rashid sent to Ledger approximately four months ago. A copy of Rashid’s research paper on the vulnerability is available here (PDF). A video of Rashid demonstrating his attack is below.
White said Rashid’s code subverts the security of the Ledger’s process for generating a backup code for a user’s private key, which relies on a random number generator that can be made to produce non-random results.
“In this case [the attacker] can set it to whatever he wants,” White said. “The victim generates keys and backup codes, but in fact those codes have been predicted by the attacker in advance because he controls the Ledger’s random number generator.”
Rashid said Ledger initially dismissed his findings as implausible. But in a blog post published today, Ledger says it has since fixed the flaw Rashid found — as well as others discovered and reported by different security researchers — in a firmware update that brings Ledger Nano S devices from firmware version 1.3.1 to version 1.4.1 (the company actually released the firmware update on March 6, potentially giving attackers time to reverse engineer Rashid’s method).
The company is still working on an update for its pricier Ledger Blue devices, which company chief security officer Charles Guillemet said should be ready soon. Guillemet said Nano-S devices should alert users that a firmware update is available when the customer first plugs the device into a computer.
“The vulnerability he found was based on the fact that the secure element tries to authenticate the microcontroller, and that authentication is not strong enough,” Guillemet told KrebsOnSecurity. “This update does authentication more tightly so that it’s not possible to fool the user.”
Rashid said unlike its competitors in the hardware wallet industry, Ledger includes no tamper protection seal or any other device that might warn customers that a Nano S has been physically opened or modified prior to its first use by the customer.
“They make it so easy to open the device that you can take your fingernail and open it up,” he said.
Asked whether Ledger intends to add tamper protection to its products, Guillemet said such mechanisms do not add any security.
“For us, a tamper proof seal is nothing that adds security to the device because it’s very easy to counterfeit,” Guillemet said. “You can buy some security seals on the web. For us, it’s a lie to our customers to use this kind of seal to prove the genuineness of our product.”
Guillemet said despite Rashid’s findings, he sees no reason to change his recommendation that interested customers should feel free to purchase the company’s products through third party vendors.
“As we have upgraded our solution to prove the genuineness of our product using cryptographic checks, I don’t see why we should change this statement,” he said.
Nevertheless, given that many cryptocurrency owners turn to hardware wallets like Ledger to safeguard some or all of their virtual currency, it’s probably a good idea if you are going to rely on one of these devices to purchase it directly from the source, and to apply any available firmware updates before using it.
This kid should be working for the N.S.A.
Crypto fan will never be working for the NOSA 🙂
I am sure he is smart enough not to
Seeing as he is from the UK he should be working at GCHQ. The NSA seems to be reluctant to employ non US citizens.
“Rashidd said unlike its competitors”
Extra letter in his name
Very impressive crypto work for a 15 year-old. Most 15 year-olds can’t think at any level above Minecraft.
Try on new firmware 1.4 – good luck !
If the device has already been compromised, I’m not sure you can guarantee that upgrading the firmware will make it safe.
The only thing that has been/can be compromised is the STM32 (MCU), not the secure element. If you replace the SE with a non genuine one this would be easily spotted by ledger’s tools.
Hence their claims that you can buy your nano from untrusted sources, they always have a way to verify the secure element has not been tampered with. And if proved to be genuine they can always safely upgrade the secure element firmware (which they do with this 1.4.1).
The only open question is if this secure element firmware 1.4.1 can really ensure what runs on the MCU is genuine too. It for sure make it even harder than it was on 1.3.1.
I believe the statement:
“Yet Saleem […] discovered a way to acquire the private keys from Ledger devices.” spreads FUD.
In the “supply chain attack”, he could install a (new) attacker controlled seed on the device. Not acquire it from the device.
In the “evil maid attack”, he was NOT able to acquire the seed of an already initialized nano s. But only to install a keylogger on the MCU, which would capture the pin once the user enters it, then silently approve any transaction sent to the device.
– the seed was not acquired/extracted
– after the pin is captured, it can basically be bypassed. But you still need to connect your nano to a computer that would send evil transactions to it (i.e. the maid has to strike back).
The only way he could acquire private keys is if the user was to restore a valid seed on a compromised device. And even then the captured key (now sitting on the MCU) still needs to be acquired by the attacker in some way.
From what I can see, with ledger’s latest update, even if I have an old/not updated nano s, potentially compromised, I can connect it to my computer, update it to 1.4.1. And I can safely use it knowing it is genuine even if an attacker did get physical access to it (even If I bought a used one on ebay).
I would safely give my nano s to saleem and use it afterward without fear of getting my secrets stolen 🙂
Any random number generator use in such devices should seed from a radioactive dab of radium or the like.
Your idea could work, but the regulatory challenges necessary to obtain a specific license to incorporate an exempt quantity of radioactive material into a device for commercial distribution, including mandated safe packaging and labeling requirements, would not be cost effective or worthwhile if background radiation could be used instead. Still additional circuitry would be necessary also driving up the cost.
There are true random number generators available on the web which use natural phenomena as their source, e.g. https://www.random.org/
Also, there are some “new” improved methods using mouse movements to create an RNG.
This is a good example of why everything should be open source; something that can be learned from the crypto world, where, as far as I know, everything is open to scrutiny, many projects even offering bounties.
Even if a device is fully open source, it will still be manufactured in China.
read the pdf – nice write up on the exploit – kudos
love this part
If we can modify the user interface, we can change the recovery seed that is generated during the onboarding process. This is quite easy since the user interface is open source
and Ledger allows you (by design!) to install a modified UX application.
nothing like providing the backdoor for your attackers….
wow, amazing kid,
Krebs Mobile site???? Any time???
What for? This Web site works perfectly as-is when I use my phone.
“it’s probably a good idea if you are going to rely on one of these devices to purchase it directly from the source”
But don’t forget what happened to Dr. Cal Meacham when he purchased “directly from the source”!
No chance of Zagons tampering with the interocitor.
I read researcher’s blog post and am so jealous of his intellect. All I understood is that maids can be evil. 🙂
Gah, everything “computers” sucks I think. Been like this for over 10 years since I started reading news articles about computer security.
As for cpu’s, I am no engineer, but I want to see a world where you can print your own cpu(s) on a thin sheet, something that would be fully designed for the owner to print, but also to inspect and test, and otherwise maintain total control and supervision of the equipment.
My naive impression is that today’s hardware/software is bloated, obscure and generally insecure, because there is no ‘industry’ as such to blame, or to hold to account, yet hardware/software seems prolific in a fragmented way with a myriad of actors. Seems to me to be a world of chaos, but I don’t want some ‘official’ way of things, because I couldn’t just trust that, I just want people to really care when they design, implement, test, manufacture, deploy and support the longevity of anything hardware/software and to empower the user. Such that you can both be creative and secure, but without successfully undermining the fundamental security of your own damn hardware & software, nor for everybody else.
I’ve been thinking that ‘privacy’ is often a misused concept (when privacy is talked about as being a product, as opposed to something you need and want/desire), though I suspect the notion of privacy can be used to be the very foundation of security, by simply giving the owner the initiative to be maintaining good security, by technology alone with hardware and software, not being prone to fishing attacks and the like. Generally speaking, by compartmentalizing the way the hardware/software works, so that, no matter what goes wrong, you can still change, fix or stop something you have implemented relating to computing. I also envision ‘privacy’ to be a founding concept against this notion I have of a fragmented industry. How about giving all the software and hardware unique twists for the individual user, such that the odds of anyone being in control of the equipment, would be overwhelmingly you alone as a user. This idea of creating quirky things on both the hardware and software level wouldn’t be about “rolling your own crypto” which would probably be something wildly insecure, but to create security by obscurity, insofar as this can actually be proven to be secure just up to the point, where somebody is sitting next to you with the proverbial 5$ wrench. My favourite fantasy idea for this kind of hardware/software is something organic, self altering, the ‘kernel’ or ‘core’ working with information protected by probing and analysis. By the time anything intelligent is learned about this computer, it would have changed into something else, layered processes, and self created software that does not rely on simplicity and speed, but on sufficient intricacy. Basically, the critical processing features of such an entire computer being indistinguishable from being a one way function, from core and out (ofc, not being a single piece of code).
All they have to actually do is move seed generator to secure chip. But nice work, kid!
Indeed. Why would they not have been generating the random numbers on the secure chip to begin with?
As long as there’s a communication allowed between the secure and the unsecure chips, there’s going to be a way to compromise the unit.
The unit shouldn’t have an unsecure chip at all.
Sure, but better yet: don’t use any unsecure chips at all. Any communication allowed between them opens up for trouble.
From my understanding there is no such thing as a Truly Random Number Generator.
Morgan, I have been looking at the ‘truly random” number generator for some time. In the last six years, these are the only guys that I have found that comes close to substantiating (quantifying) what most would call true “random number generation. https://www.quintessencelabs.com/resource-library/ Their product is called qStream
That over-priced device uses a Tunnel Diode as the noise source (or sources). Zener diodes work too when they avalanche. You can make one of these at home provided you do a bit of learning first.
Great article yet again! I find it so interesting when people especially children figure out how to do to such things.
Am I the only one who is a little bit surprised by the pompousness of the Ledger devs?
I mean this is a device that people trust with their money, and in some cases, I’m sure that amount is quite substantial. To be all willy nilly about “eh get it wherever you want, it’s all good” is hard to swallow after they just got proof of concept’d.
Hi Brian & Friends,
I have a simple question that I am confused about. The 3 credit bureaus + Innovis have the option to create online accounts within them to dispute information, pull reports, and so on. Do most of you create online accounts for these websites? I try very hard NOT to create additional accounts, but then I think if someone
malicious creates an account in my name then i will not be able to create my account later on. Thoughts? Advice? Thank you –
Credit bureaus should have more breaches. $1.4B in fees which went to credit bureaus or companies owned or invested in by them for “identity protection” got a $1.4B windfall.
Keep leaking data, and your revenues increase!
15 years wow!! every can see that nothing is secure this days even kids can find security flaws. Maybe this kid should be working for NSA or CIA…