A vulnerability that affects every Ledger hardware wallet on the market would allow for malicious parties to show Ledger customers fraudulent receive addresses. If users request funds to these addresses, cryptocurrency intended for them would end up in an attacker’s wallet instead.
UPDATED | February 6, 2018:
Ledger provided additional information on the measures it is taking to address this vulnerability. First and foremost among them: it will add a step to the workflow of the “Ledger Wallet Bitcoin Chrome application” which encourages each user to double-check that the key on their wallet’s screen matches the one on their computer monitor. While the post suggests that customers will be “required to verify” this match, it appears that that fix leaves room for user error. The statement also says that “ETH and XRP apps will benefit from the feature in the new global release.”
The company is encouraging its users “to find bugs, or security vulnerabilities,” and says, “While our bounty program has not been officially launched yet, there is already a dedicated mail address set up.”
ORIGINAL | February 5, 2018:
Ledger, a company that offers cryptocurrency wallets, acknowledged on February 3 that all of its hardware wallets are affected by a vulnerability which could allow a malicious party to provide clients with false receive addresses, so that cryptocurrency that is intended to be received by the customer would end up in an attacker’s wallet instead.
A twitter account run by the company issued a tweet that included a hyperlink to a report detailing the vulnerability. The researchers behind the document did not identify themselves, referring to themselves only as “we.”
As Ledger says on an instructional page of its website, a “Ledger wallet generates a new address each time you want to receive a payment.” (The page was updated on February 5, and when ETHNews accessed it, the quoted text and other information pertinent to the vulnerability was highlighted in red.)
It’s in generating these addresses that the vulnerability comes into play. Ledger warns that an “attacker could be in control of your computer screen and show you a wrong address which would make him the beneficiairy [sic] of any transaction sent to it.” The report explains that this is because the wallets use a “JavaScript code running on” the computer to which the device is connected. If malware capable of perpetrating a m an-in-the-middle attack is present on that machine, it “can simply replace the code responsible for generating the receive address” with code that will spit out an address belonging to the attacker.
Both the report and documentation available from Ledger offer guidance on how to verify that a bitcoin receive address is correct. As Ledger puts it, “Click on the button looking like a monitor under the QRCODE. It will show the address on the [screen of the hardware wallet itself]. It is very important to verify that you see the same address” in both places, because if the one on a user’s monitor does not match the one on their wallet’s screen, then the address on their monitor is incorrect.
According to the report, however, such a module is not available on Ledger’s Ether wallet interface. “The Ethereum App (and possibly other apps as well) has no mitigation, the user has no way to validate if the receive address has been tampered.” Therefore, its authors recommend that “If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software-based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At least until this issue receives some kind of fix.”
By press time, Ledger had not responded to an ETHNews inquiry on whether this vulnerability threatens to affect the sending and receiving of Ether tokens.
The document also relates that the researchers behind it reached out to Ledger with their findings, and on January 27, the company’s CTO told them that “no fix/change would be done (our recommendation to enforce the user to validate the receive address has been rejected), but they will work on raising public awareness so that users can protect themselves from such attacks.”
A page on Ledger’s website under the header “Basic security principles (must read),” which was also updated on February 5, cautions users that “Using a hardware wallet doesn’t make you invincible… Don’t trust, verify.”
Adam Reese is a Los Angeles-based writer interested in technology, domestic and international politics, social issues, infrastructure and the arts. Adam is a full-time staff writer for ETHNews and holds value in Ether and BTC.
ETHNews is committed to its Editorial Policy
Like what you read? Follow us on Twitter @ETHNews_ to receive the latest Ledger, wallet or other Ethereum wallets and exchanges news.
Source: ETHNews
