Bitcoin Forum
September 21, 2018, 01:23:24 AM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Advice for Existing Ledger Users  (Read 128 times)
LeGaulois
Copper Member
Hero Member
*****
Offline Offline

Activity: 826
Merit: 851

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
February 04, 2018, 09:37:48 AM
Merited by Lucius (3), pugman (1), RGBKey (1)
 #1

An attack vector has been found last month. Nothing really critical. Users can easily be safe if they double check: Users need to validate the integrity of the address before, as a precaution. (if using ethereum app better to use  Live CD O.S.)

More details can be found in this PDF here

Quote
The Attack
Ledger wallets generates the displayed receive address using JavaScript code running on the host machine.

This means that a malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.

Because receive addresses are consistently changing as part of the usual activity of the wallet, the user has no trivial way (like recognizing his address) to verify the integrity of the receive address.

As far as he knows, the displayed receive address is his actual receive address




What Makes This Even Worse

Quote
- All the ledger wallet software is located in the AppData folder, meaning that even an unprivileged malware can modify them (no need to gain administrative rights).

- The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, meaning they can be modified by anyone.

- All the malware needs to do is replace one line of code in the ledger software, this can be achieved with less than 10 lines of python code.

- New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

- The attack changes the receive address during its generation, causing even the automatically generated QR to be updated to the attacker’s address. Meaning that both the string and QR representations of the address are compromised.

Advice for Existing Ledger Customers
Quote
If you’re using the Bitcoin App – Before every receive transaction validate the integrity of the address using the monitor button.

If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At
least until this issue receives some kind of fix.



1537493004
Hero Member
*
Offline Offline

Posts: 1537493004

View Profile Personal Message (Offline)

Ignore
1537493004
Reply with quote  #2

1537493004
Report to moderator
Make a difference with your Ether.
Donate Ether for the greater good.
SPRING.WETRUST.IO
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537493004
Hero Member
*
Offline Offline

Posts: 1537493004

View Profile Personal Message (Offline)

Ignore
1537493004
Reply with quote  #2

1537493004
Report to moderator
manchester93
Sr. Member
****
Offline Offline

Activity: 245
Merit: 254


1Broker: Trade stocks/commodities using Bitcoin!


View Profile
February 04, 2018, 10:46:43 AM
Merited by illyiller (1)
 #2

It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

It's scary that this is "typical":

Quote
-New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

1BROKER //  TRADE CFDs USING BITCOIN! NO KYC, LOW FEES, INSTANT WITHDRAWALS
❱❱❱  TRADE STOCKS, COMMODITIES, FOREX, AND CRYPTO WITH BITCOIN COLLATERAL  ❱❱❱
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ ● 1BROKER ● ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Lucius
Legendary
*
Offline Offline

Activity: 1176
Merit: 1064


Fortis Fortuna Adiuvat


View Profile WWW
February 04, 2018, 11:42:32 AM
 #3

Thanks for this info,it is something which certainly can be of concern to all users of hardware wallets.Actually it all comes down to security of user PC,if all security measures have been taken and if sending address is validated the risk is reduced to a minimum.

I assume that this threat is valid even for users who use Electrum with Ledger,or it is only affects Ledger Bitcoin Wallet in Chrome Apps?

It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

It's scary that this is "typical":

Quote
-New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

Where the average user should store coins?If hardware wallets become unsafe,what to say about any desktop or online wallets.I know that only cold storage is safe option,but 9 of 10 users do not know what is cold storage and how to make one.

Good antivirus+firewall+malware protection and some common sense,this is all you need to be safe.

   ███                       
   █████                     
  ███████                     
 ██████████        █         
  █████████      ████         
  ████████      ██           
     ██████    ██             
       ██████████             
            ██████   ███████ 
         █████  ██████████████
       ███ ███  ████████████ 
       ██ █          █       
      █                       
     █                       
.
                          ██ 
                       █████ 
                      ███████
           █        ██████████
          ████      █████████
             ██      ████████
              ██    ██████   
              ██████████     
   ███████   ██████           
 ██████████████  █████       
   ████████████  ███ ██       
    ██████          █ ██     
                        █     
                         █   




███           
██████         
████████     
██████████     
████████████ 
██████████████
██████████████
████████████   
██████████     
████████       
██████         
███           
.

██████████
██████████
██████████
██████████
.

          ████
        ██████
      ████████
    ██████████
  ████████████
██████████████
██████████████
  ████████████
    ██████████
      ████████
        ██████
           ███
[
LeGaulois
Copper Member
Hero Member
*****
Offline Offline

Activity: 826
Merit: 851

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
February 04, 2018, 12:20:06 PM
 #4

It's not just Ledger users. This MITM vulnerability affects all hardware wallets.

I'm gonna keep saying it: Stop storing anything you aren't willing to lose on hardware wallets. Use them for limited funds only. They have huge attack surfaces and they are not well-tested. And frankly, it should be common sense not to plug all your keys into a live computer.

But for example, Trezor wallet users are enforced to use 2FA for the address used to receive. You can have your own opinion of course but hardware wallets are still one of the best methods to use and a lot better than storing on a web-based wallet lol, (which the majority does).

European Central Bank
Legendary
*
Offline Offline

Activity: 1092
Merit: 1054



View Profile
February 04, 2018, 01:09:28 PM
 #5

people weren't validating on machine already?

it should be reemphasized that the only thing a hardware wallet will do well is shield your private keys. the actual transactions are still pretty vulnerable to being hijacked.
RGBKey
Hero Member
*****
Offline Offline

Activity: 826
Merit: 616


rgbkey.github.io/pgp.txt


View Profile WWW
February 05, 2018, 02:02:16 AM
 #6

I have a Ledger and had no idea about that button that displays the address on the device. Thanks for this information.

HCP
Hero Member
*****
Offline Offline

Activity: 728
Merit: 923

<insert witty quote here>


View Profile
February 05, 2018, 05:06:50 AM
Merited by RGBKey (1)
 #7

So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw Tongue

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™

LeGaulois
Copper Member
Hero Member
*****
Offline Offline

Activity: 826
Merit: 851

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
February 05, 2018, 01:43:42 PM
 #8

Yes, it's the Ledger Chrome App and not the device. I haven't been specific enough in the original post, sorry.

RGBKey
Hero Member
*****
Offline Offline

Activity: 826
Merit: 616


rgbkey.github.io/pgp.txt


View Profile WWW
February 05, 2018, 03:26:23 PM
 #9

So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw Tongue

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™

It's a good thing that it's possible to use Electrum or other desktop wallets to send with, but I think it's definitely still a big problem because of how many users use the chrome apps.

evgeshti
Member
**
Offline Offline

Activity: 141
Merit: 10


View Profile
February 06, 2018, 09:56:21 PM
Merited by European Central Bank (2)
 #10

Interesting topic! Half an hour ago I did not think at all and could not imagine that Leger can be hacked and I can lose all the savings ((
Thanks for increasing the level of paranoia Grin
But now, I read the topics and decided that as soon as the Grid + device appeared on the market, it would be safe to store crypto-currencies online. In the meantime, it is necessary to be vigilant and remember that we live and work in an insidious environment. There are no ideal solutions, and all users need to be informed about the advantages and potential drawbacks of all existing solutions for storing crypto currency.

|▌    DAOX    《   Create & Manage Fundraising DAOs   》    DAOX    ▐|
☰☰☰☰☰☰☰☰☰☰☰◤       The product is LIVE       ◥☰☰☰☰☰☰☰☰☰☰☰
WEB-SITE    BUY DXC NOW    BOUNTY & AIRDROPS    ANN THREAD   
RGBKey
Hero Member
*****
Offline Offline

Activity: 826
Merit: 616


rgbkey.github.io/pgp.txt


View Profile WWW
February 07, 2018, 09:23:05 PM
 #11

I'm a bit late on this, but 2 days ago Ledger updated the Chrome app to prompt users to confirm the address with the one displayed on their device. This is now not only for Bitcoin but all coins. https://www.ledger.fr/2018/02/05/man-middle-attack-risk/

bL4nkcode
Copper Member
Hero Member
*****
Offline Offline

Activity: 952
Merit: 573


Beware of Scam and Fraud ICO


View Profile WWW
February 08, 2018, 09:11:51 AM
 #12

So, it isn't really the Ledger device itself... but the Ledger Chrome App that is susceptible to this particular issue. Users who use Electrum (and other 3rd party Ledger compatible wallets) are less likely to face this problem. Assuming of course they're running the newer versions that patch the JSON RPC flaw Tongue

Having said that, anyone who just hands out Bitcoin Addresses without validating them first is asking for trouble.

As with all crypto related matters... a healthy level of paranoia is a "Good Things"™
Okay. Thanks for the information, I am a bit shit here while reading above posts except with this reply since I used ledger too Cheesy but the good thing I never ever used their chrome apps.
I always used electrum and mycelium to send and receive with btc using ledger and myetherwallet in ethereum.


       █
      ██
     ██
   ██ ██
 █ ██ ██
██ ██ ██
██ ██ ██
██ ██ ██
██ ██ ██
██ ██ ██

       █
      ██
     ██
   ██ ██
 █ ██ ██
██ ██ ██
██ ██ ██
██ ██ ██
██ ██ ██
██ ██ ██
  B

          ▄▄▄▄▄▄
     ▄▄████████████▄▄
   ▄█████▀▀    ▀▀█████▄
  ████▀            ▀████
 ████                ████
▐███                  ███▌
███▌                  ▐███
▐███           ▄▄     ███▌
 ████         ▀███▄  ▐███
  ████▄         ▀███▄███
   ▀█████▄▄     ▄█████▀
     ▀▀████████████▀▀
          ▀▀▀▀▀▀
T 
.Better. Quick..

.Transparent....






             ▄████▄▄   ▄
█▄          ██████████▀▄
███        ███████████▀
▐████▄     ██████████▌
▄▄██████▄▄▄▄█████████▌
▀████████████████████
  ▀█████████████████
  ▄▄███████████████
   ▀█████████████▀
    ▄▄█████████▀
▀▀██████████▀
    ▀▀▀▀▀






▄█████████████████████████▄
███████████████████████████
███████████████▀       ████
██████████████      ▄▄▄████
██████████████    ▐████████
██████████████    ▐████████
██████████            ▐████
██████████            █████
██████████████    ▐████████
██████████████    ▐████████
██████████████    ▐████████
▀█████████████    ▐███████▀






                   ▄▄████
              ▄▄████████▌
         ▄▄█████████▀███
    ▄▄██████████▀▀ ▄███▌
▄████████████▀▀  ▄█████
▀▀▀███████▀   ▄███████▌
      ██    ▄█████████
       █  ▄██████████▌
       █  ███████████
       █ ██▀ ▀██████▌
       ██▀     ▀████
                 ▀█▌
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!