Advice for Existing Ledger Users

[LeGaulois]

An attack vector has been found last month. Nothing really critical. Users can easily be safe if they double check: Users need to validate the integrity of the address before, as a precaution. (if using ethereum app better to use  Live CD O.S.)

More details can be found in this PDF here

The Attack
Ledger wallets generates the displayed receive address using JavaScript code running on the host machine.

This means that a malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.

Because receive addresses are consistently changing as part of the usual activity of the wallet, the user has no trivial way (like recognizing his address) to verify the integrity of the receive address.

As far as he knows, the displayed receive address is his actual receive address

What Makes This Even Worse

- All the ledger wallet software is located in the AppData folder, meaning that even an unprivileged malware can modify them (no need to gain administrative rights).

- The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, meaning they can be modified by anyone.

- All the malware needs to do is replace one line of code in the ledger software, this can be achieved with less than 10 lines of python code.

- New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

- The attack changes the receive address during its generation, causing even the automatically generated QR to be updated to the attacker’s address. Meaning that both the string and QR representations of the address are compromised.

Advice for Existing Ledger Customers

If you’re using the Bitcoin App – Before every receive transaction validate the integrity of the address using the monitor button.

If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At
least until this issue receives some kind of fix.

[manchester93]

It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

It's scary that this is "typical":

-New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

[Lucius]

Thanks for this info,it is something which certainly can be of concern to all users of hardware wallets.Actually it all comes down to security of user PC,if all security measures have been taken and if sending address is validated the risk is reduced to a minimum.

I assume that this threat is valid even for users who use Electrum with Ledger,or it is only affects Ledger Bitcoin Wallet in Chrome Apps?

It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

It's scary that this is "typical":

-New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

Where the average user should store coins?If hardware wallets become unsafe,what to say about any desktop or online wallets.I know that only cold storage is safe option,but 9 of 10 users do not know what is cold storage and how to make one.

Good antivirus+firewall+malware protection and some common sense,this is all you need to be safe.

[LeGaulois]

It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

But for example, Trezor wallet users are enforced to use 2FA for the address used to receive. You can have your own opinion of course but hardware wallets are still one of the best methods to use and a lot better than storing on a web-based wallet lol, (which the majority does).

[European Central Bank]

people weren't validating on machine already?

it should be reemphasized that the only thing a hardware wallet will do well is shield your private keys. the actual transactions are still pretty vulnerable to being hijacked.

[RGBKey]

I have a Ledger and had no idea about that button that displays the address on the device. Thanks for this information.

[HCP]

So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™

[LeGaulois]

Yes, it's the Ledger Chrome App and not the device. I haven't been specific enough in the original post, sorry.

[RGBKey]

So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™

It's a good thing that it's possible to use Electrum or other desktop wallets to send with, but I think it's definitely still a big problem because of how many users use the chrome apps.

[evgeshti]

Interesting topic! Half an hour ago I did not think at all and could not imagine that Leger can be hacked and I can lose all the savings ((
Thanks for increasing the level of paranoia
But now, I read the topics and decided that as soon as the Grid + device appeared on the market, it would be safe to store crypto-currencies online. In the meantime, it is necessary to be vigilant and remember that we live and work in an insidious environment. There are no ideal solutions, and all users need to be informed about the advantages and potential drawbacks of all existing solutions for storing crypto currency.

[RGBKey]

I'm a bit late on this, but 2 days ago Ledger updated the Chrome app to prompt users to confirm the address with the one displayed on their device. This is now not only for Bitcoin but all coins. https://www.ledger.fr/2018/02/05/man-middle-attack-risk/

[bL4nkcode]

So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™

Okay. Thanks for the information, I am a bit shit here while reading above posts except with this reply since I used ledger too but the good thing I never ever used their chrome apps.
I always used electrum and mycelium to send and receive with btc using ledger and myetherwallet in ethereum.