Warning for Ledger Nano S users / buyers

[RGBKey]

The first article you link to contains a niche security vulnerability which has already been patched. The second article you link to requires someone having access to files on your machine, and if they can do that then you're already in a world of hurt. Additionally, a new Ledger desktop app is scheduled to be released this month, so that second article will no longer be relevant.

[everythingforsale]

Thanks for sharing,  I am just about to buy myself some of those Ledgers, because I've heard that this is the most secure way to store your cryptocurrency, now I would be extremely careful and aware.

[notaek]

There are three main scenarios where a hardware wallet can get compromised:

• Blatant stealing of coins by untrustworthy resellers: This happens when someone buys a hardware wallet at a "cheaper price" from 3rd party resellers who aren't endorsed by the companies and falls victim without knowing that they are using the per-generated wallet with shared private keys. The cheaper price is the catch here.

• Locating and replacing the receiving address from the Ledger wallet JavaScript file: It requires an attacker to replace the receiving addresses of victim to his own static address where the victim will send coins to the attacker. This compromise is quite complex and requires quite a bit of social engineering.

• Fooling the MCU of victim's device: In this case a 3rd party seller can inject his own seed into the device in such a way that whenever a victim plugs in for the first time, it generates their injected seed instead of a random one. This was quite a concerning vulnerability but the Ledger Team has patched it in the next firmware update since its release.

Its fairly obvious by now that every buyer should do their due diligence before purchasing a hardware wallet and storing their fortunes into it.

[LeGaulois]

@RGBKey
Excuse me but where did you see the desktop application would be ready this month? By the way, people should be careful while using it the first weeks, who knows if it will have some bugs here and there. I personally will let others test it, once I am sure the app is free from bugs I will start to use it

Thanks for sharing,  I am just about to buy myself some of those Ledgers, because I've heard that this is the most secure way to store your cryptocurrency, now I would be extremely careful and aware.

If you had read the comments you wouldn't have this kind of post. See the post #23 above

[bob123]

Excuse me but where did you see the desktop application would be ready this month?

Ledger released an article in february, stating the release would be july:

Update June 5th: the release date of the new version of the Ledger Wallet desktop edition is scheduled to July 9th

Source: https://www.ledger.fr/2018/02/23/announcing-new-ledger-wallet-desktop-mobile-applications/


But who knows whether their software will be completely done by then.. I wouldn't be suprised by a delay of 1 or 2 months.

[RGBKey]

@RGBKey
Excuse me but where did you see the desktop application would be ready this month? By the way, people should be careful while using it the first weeks, who knows if it will have some bugs here and there. I personally will let others test it, once I am sure the app is free from bugs I will start to use it

Thanks for sharing,  I am just about to buy myself some of those Ledgers, because I've heard that this is the most secure way to store your cryptocurrency, now I would be extremely careful and aware.

If you had read the comments you wouldn't have this kind of post. See the post #23 above

Poster above me already linked the release date announcement, but you shouldn't have to worry about bugs as long as you're actually checking the information displayed on the device, like you should every time you're using it. If you sign a transaction with the wrong address/amount/fee, that's on you. A bug outside of that would be a much bigger deal and would likely ruin the ledger line of products.