Bitcoin Forum

Hi Guys

I have been looking for a secure way to store the small amount of BTC I have, but also have quick access to it.  So after asking members on here a few days ago I decided I would go for an hardware wallet.

Tonight I decided I would go for the Ledger Nano S.

I went to buy one off the official site but didn't have a BitPay account, so decided to look elsewhere, thats when I came across the info that this device is vulnerable to supply chain hacks, so if you have one and didn't get it from the official site you need to check your device.

News article about it here: https://techcrunch.com/2018/03/21/a-15-year-old-hacked-the-secure-ledger-crypto-wallet/

Heres info about the hack here https://medium.com/@thepariscormier/how-to-hack-a-ledger-hardware-wallet-c38a4ac49d59

I think if bought directly from ledger they should be safe, but if bought from anywhere else be extra careful, make sure its fully updated and confirm its safety with ledger if possible.

I hope this saves someone from losing out,
Rick

There are lot more articles about this, heres one about a man who had all his BTC stolen after buying a ledger on ebay :( https://news.bitcoin.com/mans-life-savings-stolen-from-hardware-wallet-supplied-by-a-reseller/

Be careful!

This is actually scaring.


As for the man who bought the Ledger from Ebay, that should be a lesson for everyone. You have to chose carefully a reseller that you can really trust.

I understand the part on this article (https://techcrunch.com/2018/03/21/a-15-year-old-hacked-the-secure-ledger-crypto-wallet/) that the ledger CEO said there's no perfect system and everyone of it has flaws.

I'm not a security specialist or good with this thing but just for your sake and safety try to avoid buying a second hand nano ledger s.

And the only suggestion that I can made so that we won't have the same fate with the guy who lost his lifesaving is buying through directly to the manufacturers site.

I think its really scary, I don't know enough about how the device is hacked, but this should definitely be a warning to anyone buying any hardware wallet from any non official seller, DON'T RISK IT

Purchasing cold wallet on Ebay is the same as to buy 25yo whisky from the tap on the open market. ;D
When dealing with wallets always make sure you use only authentic sites, software and hardware!

Buying the ledger from 3rd parties is fine... you just have to make sure you create a NEW seed upon receiving it. The ebay guy used a seed given to him meaning his private keys were already shared with someone else

No thats not the issue, the problem is that one of the chips in the Nano Ledger S is not secure, and can be modified by third parties.

If you're not confident to use hardware wallet then the best way to save all your long-term coin is a paper wallet and keep your private keys safely so that you can use them when you want in future. But for the regular usage, some of the desktop wallets like Electrum will do the best job.

Long back I planned to buy hardware wallet and after considering all the risks involved I dropped my idea of using hardware wallet and stick to my desktop wallet, paper wallet and for immediate access, I also use online wallets like XAPO and blockchain.

Hardware wallets are not as bad, as long as you have a backup of your private key (or preferably the seed). It's the easiest solution for people who are not tech savvy and don't want to play around with airgapped PC to store the desktop wallet, or to spend from the paper wallet when the time comes...
Hardware wallets are easy to use, but as everything else in life, it needs a basic understanding about the usage of it. I won't advice to someone (who is not confident enough to use a hardware wallet) to use a paper wallet because it makes the whole situation even riskier, e.g. the user keys in the private key on an infected PC online, not on a fresh OS installation on an airgapped PC...
I would suggest to use mobile wallets (Android or IOS, but without root or jailbrake) and hardware wallets for the beginners, if they want to secure their precious coins...

Ledger Nano S has long been known to have software vulnerabilities. I also touched on this topic. I wonder how the producer wants to sell a wallet that does not give much security ...

One of the first bits of advice I was given when new to the space was to buy my wallet off the official website. I ended up waiting months for it to arrive. while waiting I come across numerous stories on telegram of people who had purchases nano s's off amazon only to be hacked a few weeks later. One thing I admit is that im extremely diligent when it comes to cyber security now!!

It seems they replace the generating seed on the wallet with their own generating seed by injecting it!
it is recommended to buy them for the official seller, not a shady seller or reseller.

I had read many reviews rating this device as brilliant, and seen many claims thats its 100% secure, thats why I felt the need to start this thread as soon as I realised its not 100% safe.

I think the producer is claiming the latest firmware fixes things, but the hackers claim not, so who knows ? Not me :(

I was thinking the same thing.
I really do not trust buying such hardware wallets that are not produced by the official site are fake or not as safe as the one from the site itself.

I was planning to buy one but when I checked the site they were out of stock and just forgot about the whole thing of buying one.
I was very y bothered when I was checking other sites for cheaper and nearer one and grateful that I haven't bought.
I thought that if I will be buying a cheaper one and would risk a greater part of my earned money to that, it is a definite stupidity

 I would always go for hardware wallet. I know most people might have seen it as not being the best, but the truth is , every bitcoin storing method has its own disadvantages and also their advantages. Paper wallet is good, but there is a tendency of easily getting destroyed. Hardware wallet is good also but the idea of been tampered by a third party gave it away negatively.  What I suggest you should do is to reset it upon arrival before you use it.

I only started this thread to warn others from making a mistake if it saves just 1 person from losing there funds then im happy :)

I think you advice is good, also ive seen ledger have updated the firmware again, and said to always check the address on the ledger screen, and all should be fine.

Even though I started this thread as a warning about this device, I still think that its a good piece of kit, just make sure you only buy from ledger, and update the firmware every time a new one is released, and always check the tx address on the ledger screen itself, and all should be safe.

That's why people should buy these devices on the official website and check them before starting active use. I heard a lot of stories on the Internet and this feeling is formed, as if people do not learn from other people's mistakes.

This is big lesson, never buy a hardware wallet from affiliate sites. You must buy it from the original manufacturer. Otherwise you will invest from a wallet where sellers knows already the privatekeys.

Thank you for your suggestions and notices, if we put bitcoin in the wallet, we must provide a security code to protect our coins.

The first article you link to contains a niche security vulnerability which has already been patched. The second article you link to requires someone having access to files on your machine, and if they can do that then you're already in a world of hurt. Additionally, a new Ledger desktop app is scheduled to be released this month, so that second article will no longer be relevant.

Thanks for sharing,  I am just about to buy myself some of those Ledgers, because I've heard that this is the most secure way to store your cryptocurrency, now I would be extremely careful and aware.

There are three main scenarios where a hardware wallet can get compromised:

• Blatant stealing of coins by untrustworthy resellers: This happens when someone buys a hardware wallet at a "cheaper price" from 3rd party resellers who aren't endorsed by the companies and falls victim without knowing that they are using the per-generated wallet with shared private keys. The cheaper price is the catch here.

• Locating and replacing the receiving address from the Ledger wallet JavaScript file: It requires an attacker to replace the receiving addresses of victim to his own static address where the victim will send coins to the attacker. This compromise is quite complex and requires quite a bit of social engineering.

• Fooling the MCU of victim's device: In this case a 3rd party seller can inject his own seed into the device in such a way that whenever a victim plugs in for the first time, it generates their injected seed instead of a random one. This was quite a concerning vulnerability but the Ledger Team has patched it in the next firmware update since its release.

Its fairly obvious by now that every buyer should do their due diligence before purchasing a hardware wallet and storing their fortunes into it.

@RGBKey
Excuse me but where did you see the desktop application would be ready this month? By the way, people should be careful while using it the first weeks, who knows if it will have some bugs here and there. I personally will let others test it, once I am sure the app is free from bugs I will start to use it ;D


If you had read the comments you wouldn't have this kind of post. See the post #23 above

Ledger released an article in february, stating the release would be july:

Source: https://www.ledger.fr/2018/02/23/announcing-new-ledger-wallet-desktop-mobile-applications/ (https://www.ledger.fr/2018/02/23/announcing-new-ledger-wallet-desktop-mobile-applications/)


But who knows whether their software will be completely done by then.. I wouldn't be suprised by a delay of 1 or 2 months.

Poster above me already linked the release date announcement, but you shouldn't have to worry about bugs as long as you're actually checking the information displayed on the device, like you should every time you're using it. If you sign a transaction with the wrong address/amount/fee, that's on you. A bug outside of that would be a much bigger deal and would likely ruin the ledger line of products.