|
Title: Ledger Nano X under supply chain attacks Post by: Captain-Cryptory on July 08, 2020, 03:40:25 PM .
Title: Re: Ledger Nano X under supply chain attacks Post by: bob123 on July 08, 2020, 04:18:08 PM Supply chain attacks are a risk for both ledger and trezor HW wallets.
Even without the enabled JTAG interface, there is a risk of getting a compromised hardware wallet. Inserting a hardware implant was possible all the time. And with such an implant, you'd be able to (for example) trigger the button press to confirm a transaction with radio waves. While the enabled JTAG interface poses some new concrete attacks, the supply chain has always been a possible (and not that realistic) attack vector. Title: Re: Ledger Nano X under supply chain attacks Post by: dkbit98 on July 08, 2020, 08:18:17 PM Kraken Labs is doing good job exposing stuff like this.
I wonder is that attack also possible on Ledger Nano S. Ledger released firmware update only for Nano X version, and they released update for LedgerLive application also Title: Re: Ledger Nano X under supply chain attacks Post by: o_e_l_e_o on July 08, 2020, 08:51:07 PM It's worth pointing out that this was disclosed to Ledger a few months ago, and so it has already been fixed. You can see their response here: https://donjon.ledger.com/lsb/013/
If you already have a Ledger Nano X, the most recent update fixes this vulnerability, and all new Ledger Nano X devices produced have the debug interface disabled. I also think the "Rubber Ducky" attack is a bit of a non story. A malicious third party could open a Ledger Nano X device (or literally any piece of USB hardware in existence, from a webcam to a keyboard to a flash drive to a mug warmer) strip out the internals, leave behind a BadUSB-type device, and close it back up again. As long the casing looks intact, most users would plug the device in without a second thought, and therefore fall victim to the attack. Title: Re: Ledger Nano X under supply chain attacks Post by: o_e_l_e_o on July 11, 2020, 10:44:25 AM Yeah, Ledger Nano S is also vulnerable if it physically accessed by cracker: https://wallet.fail/wallets/nanos/ Again, you should point out that this has already been addressed.The F00DBABE issue allowed an attacker to place custom software on the microcontroller unit (MCU), which allowed them to do things such as run snake on the Ledger Nano S. What it didn't allow them to do, however, was to access any of the data stored on the secure element, which is where your private keys are stored, since their custom software would fail the authentication process. No one was ever able to demonstrate stealing private data or a loss of funds from this issue. Regardless, it has since been patched: https://www.ledger.com/ledger-releases-a-new-nano-s-firmware-update/ |