Bitcoin Forum
January 16, 2019, 07:28:20 PM *
News: The copper membership price will increase by about 300% around Friday.
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: How to verify the security integrity of the Ledger Nano S?  (Read 47 times)
omali
Newbie
*
Offline Offline

Activity: 51
Merit: 0


View Profile
June 22, 2018, 02:45:36 AM
 #1

If you buy a ledger Nano from a reseller, You would have to make sure  101% that the device is not tampered with.

So I found an article on the Ledger website that explains it https://ledger.zendesk.com/hc/en-us/articles/115005321449-How-to-verify-the-security-integrity-of-my-Nano-S-

A really great article it is, but this guide is hard to follow entirely. There are four steps in the article. The first step which is to open the device up to verify that no additional chip has been added was simple to follow. But then the other steps got me completely confused with all the info, commands, codes...

Someone please help with guidelines on how to follow these steps.
1547666900
Hero Member
*
Offline Offline

Posts: 1547666900

View Profile Personal Message (Offline)

Ignore
1547666900
Reply with quote  #2

1547666900
Report to moderator
1547666900
Hero Member
*
Offline Offline

Posts: 1547666900

View Profile Personal Message (Offline)

Ignore
1547666900
Reply with quote  #2

1547666900
Report to moderator
1547666900
Hero Member
*
Offline Offline

Posts: 1547666900

View Profile Personal Message (Offline)

Ignore
1547666900
Reply with quote  #2

1547666900
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1547666900
Hero Member
*
Offline Offline

Posts: 1547666900

View Profile Personal Message (Offline)

Ignore
1547666900
Reply with quote  #2

1547666900
Report to moderator
1547666900
Hero Member
*
Offline Offline

Posts: 1547666900

View Profile Personal Message (Offline)

Ignore
1547666900
Reply with quote  #2

1547666900
Report to moderator
TryNinja
Hero Member
*****
Online Online

Activity: 896
Merit: 906


ChipMixer's Badge of Honor


View Profile
June 22, 2018, 03:47:11 AM
Merited by mdayonliner (1)
 #2

1. Install Python on your computer.
2. Open your terminal/cmd and run:
Code:
pip install --no-cache-dir ledgerblue

3. Then, run:

On firmware 1.3.1 or below
Code:
python -m ledgerblue.checkGenuine --targetId 0x31100002

On firmware 1.4.1 and above
Code:
python -m ledgerblue.checkGenuine --targetId 0x31100003

It will output either your device is genuine or not.

mjglqw
Sr. Member
****
Offline Offline

Activity: 826
Merit: 496


https://coinsources.io/


View Profile WWW
June 22, 2018, 04:07:31 AM
 #3

I don't think checking the hardware isn't necessary. But yea, I understand if you want to be very very sure.

Correct me if I'm wrong, but wouldn't the Ledger chrome plugin know if you're using a genuine product or not? Quote from https://blog.ledger.co/2015/03/27/how-to-protect-hardware-wallets-against-tampering/
Quote
How does it work?

The Ledger Wallet Chrome application sends a random value to the Nano as a challenge. The Nano then signs this random value + the firmware version, using an embedded private key shared by some batches.

The Chrome app knows the public key and can verify the signature.

If an attacker switched the Nano with a replica running a rogue firmware, it wouldn’t pass the attestation test and would immediatly be rejected as non genuine.

There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

omali
Newbie
*
Offline Offline

Activity: 51
Merit: 0


View Profile
June 22, 2018, 04:17:53 AM
 #4

1. Install Python on your computer.
2. Open your terminal/cmd and run:
Code:
pip install --no-cache-dir ledgerblue

3. Then, run:

On firmware 1.3.1 or below
Code:
python -m ledgerblue.checkGenuine --targetId 0x31100002

On firmware 1.4.1 and above
Code:
python -m ledgerblue.checkGenuine --targetId 0x31100003

It will output either your device is genuine or not.

Ok ... I will try this
omali
Newbie
*
Offline Offline

Activity: 51
Merit: 0


View Profile
June 22, 2018, 05:08:14 AM
 #5

I don't think checking the hardware isn't necessary. But yea, I understand if you want to be very very sure.

Correct me if I'm wrong, but wouldn't the Ledger chrome plugin know if you're using a genuine product or not? Quote from https://blog.ledger.co/2015/03/27/how-to-protect-hardware-wallets-against-tampering/
Quote
How does it work?

The Ledger Wallet Chrome application sends a random value to the Nano as a challenge. The Nano then signs this random value + the firmware version, using an embedded private key shared by some batches.

The Chrome app knows the public key and can verify the signature.

If an attacker switched the Nano with a replica running a rogue firmware, it wouldn’t pass the attestation test and would immediatly be rejected as non genuine.

There is absolutely no way that an attacker could replace the firmware and make it pass attestation, without knowing the Ledger private key.

You mean that the Chrome apps can verify the device integrity when I plug it in? Wow I didnt know that.  I am really learning a lot from this great community...Thanks
TryNinja
Hero Member
*****
Online Online

Activity: 896
Merit: 906


ChipMixer's Badge of Honor


View Profile
June 22, 2018, 04:25:21 PM
 #6

~
Yes. When I open the Chrome app, conect and unlock my Nano, the screen briefly shows "Checking if the device is genuine" or something like this. The methods in the article are just a way of checking it directly.

Pages: [1]
  Print  
 
Jump to:  

Bitcointalk.org is not available or authorized for sale. Do not believe any fake listings.
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!