Tangem Cards are Vulnerable to Brute-Force Attacks

[Pmalek]

Ledger's security team, Ledger Donjon, discovered a vulnerability in Tangem cards that could be exploited by brute-force password attacks. These cards can be exploited with specialized hardware equipment to bypass Tangem's built-in brute-force delay system. The technique Ledger used is known as "tearing." Successful tearing allowed Ledger Donjon to try around 2.5 login passwords per second, which decreases the time required to brute-force weak passwords.

Tangem Cards aren't upgradable, so this problem can't be fixed. What users can do is use more complex passwords of at least 8 characters, including letters, digits, and special symbols.

Here are more details on the report Ledger Donjon wrote and shared with Tangem:
https://www.ledger.com/blog-brute-force-attack-tangem


Tangem’s Anti-Brute-Force System

After 6 incorrect password attempts on a Tangem card, a 1-second delay is added. Each new incorrect password increases this delay by 1 second, up to a maximum of 45 seconds.

If we take this into account, Ledger estimates how long it would take to brute-force simple PINs of 4-8 digits:

- 4-digit PIN: ~5 days
- 6-digit PIN: ~520 days
- 8-digit PIN: ~143 years


The Tearing Attack

A tearing attack interrupts power to the card during the operation of counting the login entries. If done successfully, an attacker can get unlimited password entries without triggering a delay in the system. Tangem Cards don't erase the seed after X number of unsuccessful password entries like some other wallets do.


What Did Ledger Donjon Do?

They modified Tangem cards, soldering their own antennas to capture signals and measure electromagnetic emissions (EM). Tangem uses a secure channel on its cards to protect against data exchanges. This channel uses a password that is derived from the user's password. By brute-forcing the secure channel, Ledger could also brute-force the login password.

Ledger Donjon discovered that this channel is vulnerable to tearing attacks. When observed on monitors, the EM emissions between correct and incorrect passwords were different, making them easy to distinguish. Using equipment that Ledger claims costs under $5,000, they were able to test passwords continuously without delays.





Impacts of the Tearing Attacks

Tearing attacks require physical access to the cards and special equipment. The attackers can then try new passwords at a rate of around 2.5 passwords per second compared to 1 password every 45 seconds.
The biggest risk is with weak passwords made up of a common word. They are vulnerable to dictionary attacks. An attacker could try 1 million common passwords in around 4.5 days.

Here is a comparison of an attack rate of 2.5 passwords per second compared to 1 password every 45 seconds:




Ledger's Recommendations to Tangem and Tangem Users

Use strong passwords.

- 8 characters or more
- Letters, numbers, and special characters
- Tangem shouldn't allow users to use weak passwords
- Current users of weak passwords should upgrade to more complex ones 


Source:
https://www.ledger.com/blog-brute-force-attack-tangem

[Charles-Tim]

Although, dkbit98 posted about it here yesterday on their the thread that fillippone created about it some weeks ago. I am referring to this thread:

TANGEM WALLET: An Innovative Seedles Cold Wallet Setup

One of the reasons I can not use the wallet is because it is close source.

For more visibility, I think this is a nice thread.

[Pmalek]

Although, dkbit98 posted about it here yesterday on their the thread that fillippone created about it some weeks ago. I am referring to this thread:

TANGEM WALLET: An Innovative Seedles Cold Wallet Setup

One of the reasons I can not use the wallet is because it is close source.

For more visibility, I think this is a nice thread.

dkbit98 did mention the work of Ledger Donjon in his post but with very limited information. This thread contains more info and a more complete review of the vulnerability and Tangem's security model.

Personally, I don't think this is as serious as Ledger tried to portray it to be. Just like many other security vulnerabilities involving hardware wallets and secure element chips that we have seen in the past, it requires physical access to the device, special equipment, and knowledge of how to perform the manipulation attack. It's not something your average thief will know or would want to spend time to perform. Besides, if someone gets hold of your hardware wallet, you should immediately start working on moving your bitcoin and crypto to a different setup, regardless of which device they took from you and how safe you think it is. You don't want others looking for a way to steal from you.

[satscraper]

This attack requires physical access to the wallet.

I don't think anyone in their right mind would leave their coins in wallet that’s fallen into the wrong hands.

Regarding length of PIN, even a simple, easy-to-remember 4-digit number can be secure if you repeat it several times to choose for PIN. The main factor here is the maximum length of PIN that given wallet can accommodate.

[Charles-Tim]

Even this should not only be about physical attack on the device but how can someone have huge amount of coins on a hardware wallet and not use at least 8 characters as pin with upper case, lower case, numbers and at least one or more other character like full stop, comma or percentage etc. People need to learn about about security. And this is only valid in the pre-quantum world.

[Pmalek]

Regarding length of PIN, even a simple, easy-to-remember 4-digit number can be secure if you repeat it several times to choose for PIN.

I didn't understand what you tried to say with this part of your post. Why do you think a 4-digit PIN is secure enough or more secure if you repeat it several times compared to a 4-digit PIN that you don't repeat? With the right hardware and knowledge, an attacker could measure electromagnetic emissions and figure out the login PIN. The shorter PINs and more common passwords are also vulnerable to dictionary attacks.

Even this should not only be about physical attack on the device but how can someone have huge amount of coins on a hardware wallet and not use at least 8 characters as pin with upper case, lower case, numbers and at least one or more other character like full stop, comma or percentage etc.

Because many people prefer convenience and ease of access instead of lack of it, even if the latter improves their security. As quick and as simple as possible is the motto for the majority of people.

[satscraper]

Regarding length of PIN, even a simple, easy-to-remember 4-digit number can be secure if you repeat it several times to choose for PIN.

I didn't understand what you tried to say with this part of your post. Why do you think a 4-digit PIN is secure enough or more secure if you repeat it several times compared to a 4-digit PIN that you don't repeat?

Just read the original article.

They bypassed the brute-force protection mechanisms^{employed by Tangem} and, in fact, used brute-forcing to break PIN.

The longer the PIN, the larger the search space. For example, repeating  4-digit PIN five times would make it practically uncrackable using their method.

You might gain more insights by reading this.


 

[Pmalek]

The longer the PIN, the larger the search space. For example, repeating  4-digit PIN five times would make it practically uncrackable using their method.

Now I understand what you were trying to say. Repeating a 4-digit PIN twice makes it an 8-digit PIN. Doing it five times extends the PIN to 20 digits. There was a misunderstanding because I didn't realize you were talking about making the PIN longer. I thought you were trying to say that entering and changing the PIN in the system during setup would somehow make it safer than if you just added a PIN once. My bad... 

[DaveF]

Also should point out that when doing this attack they had to:

To achieve this, we can either cut into the plastic with a scalpel or use a dremel. Afterward, we detach the card antenna and solder our own onto the two pads using a thin wire that replicates the card’s shape.

Not difficult, but you can also damage the card in the process of doing it to the point of it no longer working.

How many, if any did they destroy to do this?

-Dave

[Pmalek]

Also should point out that when doing this attack they had to:

To achieve this, we can either cut into the plastic with a scalpel or use a dremel. Afterward, we detach the card antenna and solder our own onto the two pads using a thin wire that replicates the card’s shape.

Not difficult, but you can also damage the card in the process of doing it to the point of it no longer working.

How many, if any did they destroy to do this?

That probably depends on how much experience they have with this type of tearing attack. If their engineers already performed such tears on smart cards and got the results they were looking for, perhaps they already knew what they were doing. I don't think these smart cards are much different under the hood, so if you learn how to manipulate one and have the schematics for another, you have a good idea of what needs to be done.

[DaveF]

Also should point out that when doing this attack they had to:

To achieve this, we can either cut into the plastic with a scalpel or use a dremel. Afterward, we detach the card antenna and solder our own onto the two pads using a thin wire that replicates the card’s shape.

Not difficult, but you can also damage the card in the process of doing it to the point of it no longer working.

How many, if any did they destroy to do this?

That probably depends on how much experience they have with this type of tearing attack. If their engineers already performed such tears on smart cards and got the results they were looking for, perhaps they already knew what they were doing. I don't think these smart cards are much different under the hood, so if you learn how to manipulate one and have the schematics for another, you have a good idea of what needs to be done.

Agreed, but and I'm making an assumption here, you can still grind or cut a little to far and kill it.
It also means that you can kind of - sort of make this a bit more difficult to do by making a manufacturing change. Every batch of cards has the chip / antenna in a slightly different location.
That or just force a 8 or 10 digit PIN, I *think* the default now is 6. That is what I have and since I don't have a lot of crypto stored on it I would have used the shortest possible, but I can't be sure of that.

-Dave

[dkbit98]

Not difficult, but you can also damage the card in the process of doing it to the point of it no longer working.

How many, if any did they destroy to do this?

This is very easy to do and you won't destroy anything if you know how to do it correctly.
I know many examples of people easily extracting nfc payment chips from cards, and most cards have standardized scheme that have chips and antennas in the same place.
It's not like tangem made anything new, they just purchased empty cards and load them with their closed source firmware.