In this post, I’m going to discuss a vulnerability I discovered in Ledger hardware wallets. The vulnerability arose due to Ledger’s use of a custom architecture to work around many of the limitations of their Secure Element.
An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.
If you want to miss out on the fun of building an exploit yourself, you can find my proof-of-concept on GitHub.
Github link:
https://github.com/saleemrashid/ledger-mcu-backdoorIf you follow the instructions there and install it on a Ledger Nano S running firmware 1.3.1 or below, you will be able to reenact the attack in the video above. However, because this is for educational purposes only, I have deliberately made the attack slightly less reliable.
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/....
He offers a complete technical breakdown of the vulnerability. This seems like interesting news which hasn't received much attention. While the exploit has been patched on most machines affected the nano blue remains unpatched. Disseminating this information and giving this issue more publicity could provide incentive for Ledger to issue a patch quicker.
It might also help to know the vulnerability isn't inherent in bitcoin or blockchain but rather in the custom built hardware architecture which Ledger utilizes in its products.
