Bitcoin Forum
May 23, 2018, 07:26:14 PM *
News: Latest stable version of Bitcoin Core: 0.16.0  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: ledger nano S safety  (Read 160 times)
perper350
Jr. Member
*
Offline Offline

Activity: 60
Merit: 0

HELLO


View Profile
February 04, 2018, 01:35:22 PM
 #1

there are some news that ledger nano s has been crack and sell it on ebay or amazon .when you buuy ledger nano s how would you know if it is brand new or it s tampered ? 
the news saying BTC stole secretly by the hackers in ledger nano s when online 

DREAM . BELIEVE and SURVIVE
1527103574
Hero Member
*
Offline Offline

Posts: 1527103574

View Profile Personal Message (Offline)

Ignore
1527103574
Reply with quote  #2

1527103574
Report to moderator
The Bitcoin software, network, and concept is called "Bitcoin" with a capitalized "B". Bitcoin currency units are called "bitcoins" with a lowercase "b" -- this is often abbreviated BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1527103574
Hero Member
*
Offline Offline

Posts: 1527103574

View Profile Personal Message (Offline)

Ignore
1527103574
Reply with quote  #2

1527103574
Report to moderator
1527103574
Hero Member
*
Offline Offline

Posts: 1527103574

View Profile Personal Message (Offline)

Ignore
1527103574
Reply with quote  #2

1527103574
Report to moderator
1527103574
Hero Member
*
Offline Offline

Posts: 1527103574

View Profile Personal Message (Offline)

Ignore
1527103574
Reply with quote  #2

1527103574
Report to moderator
Xynerise
Full Member
***
Online Online

Activity: 210
Merit: 261


39twH4PSYgDSzU7sLnRoDfthR6gWYrrPoD


View Profile
February 04, 2018, 01:49:12 PM
 #2

If the Ledger wallet has been tampered with, it will not be able to connect to Ledger's servers at all.
However, if you believe that someone somehow bypassed this preventive measure, and you're hardware savvy, you can take the Ledger apart to verify if the internals were tampered with.
Just follow This blog post bu Ledger for how to do so.

Other security tips: your ledger DOES NOT come with a pre-generated seed; the ledger generates the seed phrase when you set it up for the first time.

Also, there is a "bug" with the ledger where they do not force users to verify the receiving address which means a malware can change it without the consent of the user.

herecomesjohnny
Member
**
Offline Offline

Activity: 154
Merit: 12


View Profile
February 04, 2018, 01:52:29 PM
 #3

there are some news that ledger nano s has been crack and sell it on ebay or amazon .when you buuy ledger nano s how would you know if it is brand new or it s tampered ? 
the news saying BTC stole secretly by the hackers in ledger nano s when online 


All the new ledger nano-s have Anti-Tampering Seal

The box ships with tamper-proof tape around the packaging. If this tape appears to be altered in any way, it is likely someone tampered with your device before it has arrived to you.

«««▬▬▬▬▬▬▬ Yo coin ▬▬▬▬▬▬▬»»»
P2P Digital Currency ◘    ◘ Maximize your YOLIFE design your own future ◘
Come join our great community on Telegram
DannyHamilton
Legendary
*
Offline Offline

Activity: 2156
Merit: 1352



View Profile
February 04, 2018, 02:37:04 PM
Merited by HCP (1)
 #4

All the new ledger nano-s have Anti-Tampering Seal

The box ships with tamper-proof tape around the packaging.

This appears to be a lie.


According to the FAQ at the Ledger website:
https://support.ledgerwallet.com/hc/en-us/articles/115005211225-Tamper-proof-seal

Quote
Ledger doesn't attach any tamper proof seal on its boxes anymore as it is not useful.
We used to put this grey sticker during a few months, long time ago, but it was a standard sticker, not a seal at all.

Apparently, Ledger uses attestation to verify the authenticity of the firmware everytime you connect the Nano to your wallet software:
https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

Quote
The Ledger Wallet Chrome application sends a random value to the Nano as a challenge. The Nano then signs this random value + the firmware version, using an embedded private key shared by some batches.

The Chrome app knows the public key and can verify the signature.

If an attacker switched the Nano with a replica running a rogue firmware, it wouldn’t pass the attestation test and would immediatly be rejected as non genuine.

There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

gentlemand
Legendary
*
Offline Offline

Activity: 1652
Merit: 1140


Hello You


View Profile
February 04, 2018, 03:53:01 PM
 #5

What's happening with these third party sales is that people are receiving preinstalled seeds along with an official-looking card with the seeds written on them.

A new buyer will be perfectly safe if they disregard that seed and generate their own on the Ledger. What the people who've had money stolen are doing is sending their BTC to an address derived from a seed created by the seller/scammer who then drains it.

If you didn't know any better then I suppose it's a pretty easy thing to fall for. As so often it's not a proper hack, it's social engineering.

And I ordered a Ledger recently from Ledger. There was no seal. They abandoned that ages ago. It's tinsel. Anyone can fake it so it's pointless.

dongamk
Member
**
Offline Offline

Activity: 154
Merit: 14


View Profile
February 04, 2018, 06:07:13 PM
 #6

And that is why resetting hardware wallet when it comes in your hand is always recommended.
gentlemand
Legendary
*
Offline Offline

Activity: 1652
Merit: 1140


Hello You


View Profile
February 05, 2018, 12:54:05 PM
 #7

Better is brand new

I read a article about a person who buy a  used ledger stick . It was prepared by a hacker

He lost all

Used or new doesn't matter. All you have to do is generate your own seed when you get it. Anyone who doesn't will lose their money and it's not coming back.

signalbitbot
Jr. Member
*
Offline Offline

Activity: 112
Merit: 0


View Profile WWW
February 05, 2018, 12:54:58 PM
 #8

it is better to buy officially, buy from intermediaries - it is dangerous, they could open and do something. This is unlikely, but none the less.

🌐 World Cryptocurrency Betting
📊 Cryptocurrency analysis
gentlemand
Legendary
*
Offline Offline

Activity: 1652
Merit: 1140


Hello You


View Profile
February 05, 2018, 02:14:46 PM
 #9

it is better to buy officially, buy from intermediaries - it is dangerous, they could open and do something. This is unlikely, but none the less.

A ledger that's been tampered with won't be recognised by ledger software. It validates itself every time you connect it. Obviously there'll always be a kernel of doubt but we'd hear about it if something had been successfully tampered with.

MoonJeina
Sr. Member
****
Offline Offline

Activity: 604
Merit: 250


Secure, scalable blockchain that actually works


View Profile
February 05, 2018, 02:17:20 PM
 #10

This doesn't make sense to me . If it was so , then therewould have been a huge buzz created till now .
Ledger nano s is completely safe and moreover only the user and the owner of the wallet can see the seed  of the wallet . Therefore , making the wallet more secure than it ever was . Until and unless one does not have an complete access to the ledger chip they cannot use it even if it is tampered as the validation process won't let some hacker have access to it easily.

|
               ▄
            ▄█████▄
         ▄███████████▄
      ▄████████▀████████▄
   ▄█████████▀   ▀█████████▄
 █████████▀    ▄    ▀████████
▐██████▀    ▄█████▄    ▀██████▌
▐████▌   ▐███████████▄   ▐████▌
▐██████▄    ▀▀   ███████▄█████▌
▐█████████▄     ██████████████▌
▐█████████▄  ▄   ▀▀   ████████▌
▐███████████████▄    █████████▌
▐████ ▀████████▄  ▄    ▀██████▌
▐████    ▀███████████▌   ▐████▌
▐██████▄    ▀█████▀    ▄██████▌
 █████████▄    ▀    ▄█████████
   ▀█████████▄   ▄█████████▀
      ▀████████▄████████▀
         ▀███████████▀
            ▀█████▀
               ▀
   
>_FOR


    ███▄▄▄▄▄▄▄▄▄▄▄▄▄         ██
    ███            █
             ██    █             █████
 █████             █▀▀▀▀▀▀▀▀▀▀▀▀▀█████
 █████▀▀▀▀▀▀▀▀▀▀█  █             █████
 █████          █  █      ██
       ██       █  █
 ██             █  █           ███
            ██  █  █      █▀▀▀▀███
   █████        █  █      █
   █████▀▀▀▀▀▀▀▀▀▀▀▀▀█▀▀▀▀▀
   █████             █
         ██          █   ██          █████
                ██   █      ▄▄▄▄▄▄▄▄▄█████
        ███▄▄▄▄▄▄▄▄▄▄█▄▄▄▄▄▄█        █████
        ███
                  ██      ▀
 

█▄▄              █▄▄
█████▄▄         ██████▄▄
████████       ████████ █
████████ ██   ████████ ██
████████ ███ ████████ ███
████████ ████ ██████ ████
████████ █████ ████ █████
████████ ▀█████ ██ ██████
████████    ▀▀██  ███████
▀███████         ▀███████
   ▀▀███            ▀▀███
       ▀                ▀
 

                   ▄▄████
              ▄▄████████▌
         ▄▄█████████▀███
    ▄▄██████████▀▀ ▄███▌
▄████████████▀▀  ▄█████
▀▀▀███████▀   ▄███████▌
      ██    ▄█████████
       █  ▄██████████▌
       █  ███████████
       █ ██▀ ▀██████▌
       ██▀     ▀████
                 ▀█▌
 

             ▄████▄▄   ▄
█▄          ██████████▀▄
███        ███████████▀
▐████▄     ██████████▌
▄▄██████▄▄▄▄█████████▌
▀████████████████████
  ▀█████████████████
  ▄▄███████████████
   ▀█████████████▀
    ▄▄█████████▀
▀▀██████████▀
    ▀▀▀▀▀
|
digitalwannabe
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
February 05, 2018, 03:22:21 PM
 #11

All the new ledger nano-s have Anti-Tampering Seal

The box ships with tamper-proof tape around the packaging.

This appears to be a lie.


According to the FAQ at the Ledger website:
https://support.ledgerwallet.com/hc/en-us/articles/115005211225-Tamper-proof-seal

Quote
Ledger doesn't attach any tamper proof seal on its boxes anymore as it is not useful.
We used to put this grey sticker during a few months, long time ago, but it was a standard sticker, not a seal at all.

Apparently, Ledger uses attestation to verify the authenticity of the firmware everytime you connect the Nano to your wallet software:
https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

Quote
The Ledger Wallet Chrome application sends a random value to the Nano as a challenge. The Nano then signs this random value + the firmware version, using an embedded private key shared by some batches.

The Chrome app knows the public key and can verify the signature.

If an attacker switched the Nano with a replica running a rogue firmware, it wouldn’t pass the attestation test and would immediatly be rejected as non genuine.

There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

Thanks for clearing this up, could someone elaborate on the level of security with the attestation?
HCP
Hero Member
*****
Offline Offline

Activity: 616
Merit: 782

<insert witty quote here>


View Profile
February 07, 2018, 02:54:38 AM
 #12

As per the article previously linked: https://www.ledger.fr/2015/03/27/how-to-protect-hardware-wallets-against-tampering/

Basically, there is a private key embedded in the unit, which it uses to sign a token and present it to the wallet software. The wallet software knows the "public" key... Thus, the software can determine if the unit has signed the token appropriately.

Basically, like "signing a message" with your private key.

Theoretically, if an attacker managed to compromise both the device AND the wallet software, then they could fake attestation (or just not do it)... However, it is also stated in the article that a signed token is also needed for the API calls to Ledger servers... so the faked wallet software wouldn't be able to make any API calls with a fake (or no) token.

So, in effect, the device is proving that it is legit, every time you connect it. I'm sure there are ways and means to circumvent it, after all no system is 100% secure... but it looks like a fairly solid system.

revelacaogr
Legendary
*
Offline Offline

Activity: 1120
Merit: 1008

2009 Alea iacta est


View Profile
February 23, 2018, 11:03:13 AM
 #13

Announcing the new Ledger Wallet desktop and mobile applications

23/02/2018

https://www.ledger.fr/2018/02/23/announcing-new-ledger-wallet-desktop-mobile-applications/


Early 2015, we introduced the Ledger Wallet Bitcoin Chrome application – a Google Chrome app designed to interact with our hardware wallets, enabling simple and secure management of cryptocurrency transactions. This app was rapidly followed by the Ledger Wallet Ethereum and Ripple native applications & companion Chrome apps, making it possible to manage these cryptocurrencies with your Ledger hardware wallet. Three years later, after the massive growth of cryptocurrencies and the multiplication of altcoins and forks, needless to say that our interfaces were ripe for a significant facelift.

Today, we are excited to announce the upcoming availability of our new generation Ledger Wallet application, built natively for desktop and mobile, gathering all cryptocurrencies in a single, unified place. This app will be available on Windows, macOS, Linux, Android, iOS and won’t require Google Chrome or Chromium anymore.

Initial released feature: One unique App for all currencies

Our initial release will bring all the current set of features supported by all our different apps, but in a unified and multi currency unique application.

You’ll find the full list of features of this first release below

Native desktop application (Windows, macOS, Linux)
Multi currencies (23 cryptos including Bitcoin, Altcoins, Ethereum, Ripple…)
Multi devices (Ledger Nano S, Ledger Blue)
Read only consultation of accounts without device (protected by optional password)
Dashboard view of all assets
Counter values: choice of currency & exchanges
Send, receive, account balances & history
Confirmation before sending funds
On device verification of the receive address
Faster account synchronisation engine




What to expect in future releases? Mobile version, additional cryptos supported, 3rd party apps

In addition to this initial release, our teams are working hard on futures updates that we’re really excited about, and that will make your Ledger hardware wallets even more easy to use (notably including a full mobile experience, the ability to support a lot more cryptocurrencies on your Ledger Nano S, and third party app integrations). Here’s a sneak peek into our roadmap:

Mobile application version (Android & iOS)
Ledger Nano/HW.1 support
Install/uninstall apps on Ledger Nano S automatically to smoothly manage a non limited number of cryptos on one device
Ethereum ERC20 tokens & contract management
Third party apps integration (buy/sell cryptocurrencies, exchanges, swaps…)
Transaction tags & notes
Spotlight search
Generate more than one new address
100+ cryptocurrencies support
         

The new application will have its own set of native USB drivers. Google Chrome won’t be required anymore, but this will also break compatibility with the Chromebook platform.

Ledger Manager

Additionally, Ledger is working on a new version of the Ledger Manager platform. We’ll shortly move to a web based solution involving direct USB communication without the need to install any extension. Supported browsers include Google Chrome, Chromium, Opera. This new version will highly improve user experience by bringing a lot of new features such as device information, firmware and apps updates, quick overview of installed currencies, categories, 3rd party apps.

Availability

We’ll soon be announcing availability of the Ledger Wallet application. We’ll first release the desktop version during Q2 2018 and then focus on the mobile version Q3 2018. The new version of the Ledger Manager is also expected for Q2 2018. Stay tuned!

Eric Larcheveque, CEO at Ledger
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!