Bitcoin Forum
February 22, 2019, 11:45:16 PM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Ledger - A critical vulnerability on the Bitcoin app has been reported by Myceli  (Read 87 times)
ragnar dannesk gold
Newbie
*
Offline Offline

Activity: 14
Merit: 6


View Profile
February 06, 2019, 12:34:23 AM
Merited by bones261 (2)
 #1

From Ledger's last firmware update and app update:

Quote
Security improvements
The Donjon security team is continuously attacking the Ledger Nano S. This process allows us to improve the security of our devices. Furthermore, we have a bounty program allowing security researchers to be rewarded for their findings. Since the 1.4.2 release, a few vulnerabilities have been reported:

...

A critical vulnerability on the Bitcoin app has been reported by Mycelium

Ledger would like to specifically thank Sergey Lappo, a (former) Mycelium software engineer, for his coordinated responsible disclosure, allowing to keep Ledger’s users safe while improving the security of the Nano S.

...

Critical security fix on the Bitcoin app

It's been 3 weeks since this update, and there doesn't seem to have been any more information released on what specifically (or generally) this 'critical vulnerability' was.

I am reluctant to update firmware (as that in itself is a vulnerability) so would appreciate any more information on this, in order to assess my own best practice.

In an ideal world, I would completely separate hardware and software (Ie: use only Electrum, with a Nano S, verified by Bitcoin Core as a watch only wallet), but firmware updates like this for 'critical vulnerabilities' make that hard.
1550879116
Hero Member
*
Offline Offline

Posts: 1550879116

View Profile Personal Message (Offline)

Ignore
1550879116
Reply with quote  #2

1550879116
Report to moderator
1550879116
Hero Member
*
Offline Offline

Posts: 1550879116

View Profile Personal Message (Offline)

Ignore
1550879116
Reply with quote  #2

1550879116
Report to moderator
1550879116
Hero Member
*
Offline Offline

Posts: 1550879116

View Profile Personal Message (Offline)

Ignore
1550879116
Reply with quote  #2

1550879116
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1550879116
Hero Member
*
Offline Offline

Posts: 1550879116

View Profile Personal Message (Offline)

Ignore
1550879116
Reply with quote  #2

1550879116
Report to moderator
Lucius
Legendary
*
Offline Offline

Activity: 1330
Merit: 1136


Fortis Fortuna Adiuvat


View Profile WWW
February 06, 2019, 10:45:44 AM
 #2

ragnar dannesk gold, you did not read carefully info about latest firmware for Ledger Nano S. It is true that A critical vulnerability on the Bitcoin app has been reported by Mycelium, but if you read further in the text there is list of security improvements included in firmware 1.5.5. One of them is Critical security fix on the Bitcoin app, so this is fixed and I do not see why is problem for you to update new firmware?

This critical vulnerability is reported by Sergey Lappo Mycelium software engineer (former), so best way to find out details about it is to contact Sergey or Ledger, but I doubt they want to publicly reveal what exactly was vulnerability in Bitcoin app.



Always add source link in post, otherwise it can be considered to be a plagiarism.

https://www.ledger.fr/2019/01/16/ledger-releases-a-new-nano-s-firmware-update/


ragnar dannesk gold
Newbie
*
Offline Offline

Activity: 14
Merit: 6


View Profile
February 08, 2019, 01:08:48 AM
 #3

I did read it carefully, and nothing in my post contradicts that. My post makes it explicitly clear that I am aware that a firmware update exists 'fixing' this issue.

Quote
but I doubt they want to publicly reveal what exactly was vulnerability in Bitcoin app

If there vulnerability has been fixed, why wouldn't they want to reveal the vulnerability?

Here is a link to murzika's post (Ledger CEO) explaining 3 weeks ago that they will share details about it 'in the coming weeks':

https://www.reddit.com/r/ledgerwallet/comments/agjknw/ledger_releases_new_nano_s_155_firmware_update/ee9olpq/

Quote
murzikaLedger CEO - 21 days ago
The vulnerability doesn't expose the private keys so there is no need to do anything. We'll share details about it in the coming weeks.

I am simply asking where that update is.
NeuroticFish
Legendary
*
Offline Offline

Activity: 1764
Merit: 1141


There are no mistakes. Only opportunities wasted.


View Profile
February 08, 2019, 11:22:47 AM
 #4

If there vulnerability has been fixed, why wouldn't they want to reveal the vulnerability?

Because (too) many didn't update their firmware yet and most probably will not do that for quite some more time.
Please correct me if I am wrong, but if one uses Ledger only to sign his transactions he may not start Ledger Live hence not get the news that a new firmware is out.

.BITSLER.                 ▄███
               ▄████▀
             ▄████▀
           ▄████▀  ▄██▄
         ▄████▀    ▀████▄
       ▄████▀        ▀████▄
     ▄████▀            ▀████▄
   ▄████▀                ▀████▄
 ▄████▀ ▄████▄      ▄████▄ ▀████▄
█████   ██████      ██████   █████
 ▀████▄ ▀████▀      ▀████▀ ▄████▀
   ▀████▄                ▄████▀
     ▀████▄            ▄████▀
       ▀████▄        ▄████▀
         ▀████▄    ▄████▀
           ▀████▄▄████▀
             ▀██████▀
               ▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄            
▄▄▄▄▀▀▀▀    ▄▄█▄▄ ▀▀▄         
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄      
█  ▀▄▄  ▀█▀▀ ▄      ▀████   ▀▀▄   
█ █▄  ▀▄   ▀████       ▀▀ ▄██▄ ▀▀▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█  ▀▀       ▀▄▄ ▀████      ▄▄▄▀▀▀  █
█            ▄ ▀▄    ▄▄▄▀▀▀   ▄▄  █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█ ▄▄   ███   ▀██  █           ▀▀  █ 
█ ███  ▀██       █        ▄▄      █ 
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
▀▄            █        ▀▀      █  
▀▀▄   ███▄  █   ▄▄          █   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀    
▀▀▄   █   ▀▀▄▄▄▀▀▀         
▄▄▄▄▄▄▄▄▄▄▄█▄▄▀▀▀▀              
              ▄▄▄██████▄▄▄
          ▄▄████████████████▄▄
        ▄██████▀▀▀▀▀▀▀▀▀▀██████▄
▄     ▄█████▀             ▀█████▄
██▄▄ █████▀                ▀█████
 ████████            ▄██      █████
  ████████▄         ███▀       ████▄
  █████████▀▀     ▄███▀        █████
   █▀▀▀          █████         █████
     ▄▄▄         ████          █████
   █████          ▀▀           ████▀
    █████                     █████
     █████▄                 ▄█████
      ▀█████▄             ▄█████▀
        ▀██████▄▄▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████████▀▀
              ▀▀▀██████▀▀▀
            ▄▄▄███████▄▄▄
         ▄█▀▀▀ ▄▄▄▄▄▄▄ ▀▀▀█▄
       █▀▀ ▄█████████████▄ ▀▀█
     █▀▀ ███████████████████ ▀▀█
    █▀ ███████████████████████ ▀█
   █▀ ███████████████▀▀ ███████ ▀█
 ▄█▀ ██████████████▀      ▀█████ ▀█▄
███ ███████████▀▀            ▀▀██ ███
███ ███████▀▀                     ███
███ ▀▀▀▀                          ███
▀██▄                             ▄██▀
  ▀█▄                            ▀▀
    █▄       █▄▄▄▄▄▄▄▄▄█
     █▄      ▀█████████▀
      ▀█▄      ▀▀▀▀▀▀▀
        ▀▀█▄▄  ▄▄▄
            ▀▀█████
[]
Lucius
Legendary
*
Offline Offline

Activity: 1330
Merit: 1136


Fortis Fortuna Adiuvat


View Profile WWW
February 08, 2019, 01:24:01 PM
Last edit: February 08, 2019, 01:57:04 PM by Lucius
 #5

ragnar dannesk gold, you say "I am reluctant to update firmware", so I assumed that you have some doubts regarding this critical vulnerability. The mere fact that it is fixed should be enough for most of users, but I fully understand your interest in finding out more about this issue.

As NeuroticFish say, and it is also mentioned in that Reddit post, many users did not update firmware and for that reason Ledger is not publishes details about Bitcoin App critical vulnerability. It is also true if Ledger is used with some other wallet (Electrum), such users can not be notified that new firmware is out.

Edit :

I just open my Ledger Live and update to latest version, but when I check Manager it shows Bitcoin App version 1.3.2, and Ledger says latest version should be 1.3.4. Is this app maybe available only on 1.5.5 firmware? I still have 1.4.2, but I think this should not be a problem.

bitmover
Sr. Member
****
Offline Offline

Activity: 392
Merit: 641



View Profile
February 08, 2019, 03:28:05 PM
 #6

This one more reason to use Electrum instead of ledger app.
Electrum is far more tested and trusted. Additionally, you have much more control over transactions with Electrum than with ledger app.

bob123
Hero Member
*****
Offline Offline

Activity: 826
Merit: 830



View Profile WWW
February 08, 2019, 05:18:04 PM
 #7

This one more reason to use Electrum instead of ledger app.
Electrum is far more tested and trusted. Additionally, you have much more control over transactions with Electrum than with ledger app.


The software you use to communicate with the ledger does (most probably) NOT have any influence on exploiting this vulnerability.

It is the bitcoin application (on the ledger) which is (or better: was) vulnerable, not ledger live (which is just the GUI to access the ledger nano s).
Electrum itself is also communicating with the bitcoin application (on the nano s), just as any other GUI is.


@OP:
You are right that updating the firmware can be risky regarding the security.
But the nano s is verifying the signature of the update before installing. If it is not signed by ledger's (the company) key, the installation will fail.

So, feel free to update the firmware. You are running a greater risk not updating it, than when updating it.
But make sure to have your seed properly backed up.

Pages: [1]
  Print  
 
Jump to:  

Bitcointalk.org is not available or authorized for sale. Do not believe any fake listings.
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!