Bitcoin Forum
November 14, 2024, 01:47:39 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [2018-02-04] Ledger Addresses Man in the Middle Attack That Threatens Millions o  (Read 119 times)
signalbitbot (OP)
Jr. Member
*
Offline Offline

Activity: 126
Merit: 1


View Profile WWW
February 04, 2018, 10:11:59 AM
 #1

Hardware wallet manufacturer Ledger, which sold over one million devices last year, has alerted its users to a major attack vector that’s recently been discovered. Although there are no reported cases of the attack being successfully deployed, the threat itself is very real. Today, Ledger urged users of its cryptocurrency wallets to take steps to avoid falling prey to the address spoofing attack.

Beware the Man in the Middle
Hardware wallets are regarded as one of the safest means of storing bitcoin and other cryptocurrencies. The USB cold storage devices eliminate the sort of attack vectors synonymous with being connected to the web. But to send funds or issue a receiving address, a hardware wallet has to be plugged in to an internet-enabled device, and researchers have discovered a vulnerability that affects Ledger devices at this stage. A newly published report reveals the way the MiTM attack would play out. It explains:

Ledger wallets generate the displayed receive address using JavaScript code running on the host machine…malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.


The attack, if executed, would leave the victim unaware at first that anything was the matter. To prove the the vulnerability is real, the report’s authors have posted a proof of concept that demonstrates the attack in action. The severity of the attack is heightened by the fact that, with Ledger’s wallet software stored in the AppData folder, it is relatively easy for malware to modify the receiving address. As the report notes, “All the malware needs to do is replace one line of code…this can be achieved with less than 10 lines of python”.

A Solution of Sorts
To avoid succumbing to this attack, there is a means of verifying the receiving address is correct, as the report explains, and as Ledger acknowledged in a tweet earlier today:

Ledger Addresses Man in the Middle Attack That Affects Millions of Hardware Wallets

This solution, while effective, is not failsafe in that it’s reliant on the user remembering to follow this procedure every time they transact. As the report points out, “A proper solution would be to [force] the user to validate the receive address before every receive transaction, just like the wallet [forces] the user to approve every send transaction”.

That’s the system that Trezor now uses with its hardware wallets, mandating the use of 2FA simply to access the receiving address. It is hoped that Ledger will follow suit in updating its devices to adopt this methodology. Hardware wallets are still significantly safer than leaving funds stored on a centralized exchange, but no solution is entirely foolproof, as the Ledger case demonstrates.

Do you think this vulnerability is cause for concern and do you think Ledger should enforce 2FA to resolve it? Let us know in the comments section below.

https://news.bitcoin.com/ledger-addresses-man-in-the-middle-attack-that-threatens-millions-of-hardware-wallets/
Kprawn
Legendary
*
Offline Offline

Activity: 1904
Merit: 1074


View Profile
February 04, 2018, 11:48:53 AM
 #2

This is not a "Ledger" problem... we have seen many instances where people using Web wallets and Desktop wallets,

reporting that some Malware hijacked their Clipboard and the receive address that was pasted...was replaced by a hackers

address. You just need to validate the receive address, before you confirm the payment. {They added a little button on the

bottom, for you to validate the receive address.... but I tested it, and I did not see the button. I think this might be a new

firmware update?}

THE FIRST DECENTRALIZED & PLAYER-OWNED CASINO
.EARNBET..EARN BITCOIN: DIVIDENDS
FOR-LIFETIME & MUCH MORE.
. BET WITH: BTCETHEOSLTCBCHWAXXRPBNB
.JOIN US: GITLABTWITTERTELEGRAM
Lucius
Legendary
*
Offline Offline

Activity: 3430
Merit: 6151


Crypto Swap Exchange🈺


View Profile WWW
February 04, 2018, 02:38:03 PM
 #3

This is not a "Ledger" problem... we have seen many instances where people using Web wallets and Desktop wallets,

reporting that some Malware hijacked their Clipboard and the receive address that was pasted...was replaced by a hackers

address. You just need to validate the receive address, before you confirm the payment. {They added a little button on the

bottom, for you to validate the receive address.... but I tested it, and I did not see the button. I think this might be a new

firmware update?}

I think this is something a little different then malware who change sending address.In this case malware is generating receiving address,which seems quite legitimate if the user is not familiar with this problem.That button is monitor button in Bitcoin Ledger Wallet and you should see it in "RECEIVE BITCOINS" window right next to the print option.When you press that button receive address will shown on Ledger screen and I suppose if both addresses are not identical then user have malware in PC.

There is more info and explanations with PDF source here : https://bitcointalk.org/index.php?topic=2878882.0

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Kprawn
Legendary
*
Offline Offline

Activity: 1904
Merit: 1074


View Profile
February 05, 2018, 03:04:22 PM
 #4

This is not a "Ledger" problem... we have seen many instances where people using Web wallets and Desktop wallets,

reporting that some Malware hijacked their Clipboard and the receive address that was pasted...was replaced by a hackers

address. You just need to validate the receive address, before you confirm the payment. {They added a little button on the

bottom, for you to validate the receive address.... but I tested it, and I did not see the button. I think this might be a new

firmware update?}

I think this is something a little different then malware who change sending address.In this case malware is generating receiving address,which seems quite legitimate if the user is not familiar with this problem.That button is monitor button in Bitcoin Ledger Wallet and you should see it in "RECEIVE BITCOINS" window right next to the print option.When you press that button receive address will shown on Ledger screen and I suppose if both addresses are not identical then user have malware in PC.

There is more info and explanations with PDF source here : https://bitcointalk.org/index.php?topic=2878882.0

Some people have the same problem and people on Reddit said that it might be solved by uninstalling the wallet via the

Ledger Manager and installing it again. Even if this resolve the problem, I still think it was poorly handled by the Ledger

developers. A critical issue like this, should have been handled with the highest priority, but they swept it to the side and

followed some red tape.  Roll Eyes

THE FIRST DECENTRALIZED & PLAYER-OWNED CASINO
.EARNBET..EARN BITCOIN: DIVIDENDS
FOR-LIFETIME & MUCH MORE.
. BET WITH: BTCETHEOSLTCBCHWAXXRPBNB
.JOIN US: GITLABTWITTERTELEGRAM
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!