Ledger - A critical vulnerability on the Bitcoin app has been reported by Myceli

[ragnar dannesk gold]

From Ledger's last firmware update and app update:

Security improvements
The Donjon security team is continuously attacking the Ledger Nano S. This process allows us to improve the security of our devices. Furthermore, we have a bounty program allowing security researchers to be rewarded for their findings. Since the 1.4.2 release, a few vulnerabilities have been reported:

...

A critical vulnerability on the Bitcoin app has been reported by Mycelium

Ledger would like to specifically thank Sergey Lappo, a (former) Mycelium software engineer, for his coordinated responsible disclosure, allowing to keep Ledger’s users safe while improving the security of the Nano S.

...

Critical security fix on the Bitcoin app

It's been 3 weeks since this update, and there doesn't seem to have been any more information released on what specifically (or generally) this 'critical vulnerability' was.

I am reluctant to update firmware (as that in itself is a vulnerability) so would appreciate any more information on this, in order to assess my own best practice.

In an ideal world, I would completely separate hardware and software (Ie: use only Electrum, with a Nano S, verified by Bitcoin Core as a watch only wallet), but firmware updates like this for 'critical vulnerabilities' make that hard.

[Lucius]

ragnar dannesk gold, you did not read carefully info about latest firmware for Ledger Nano S. It is true that A critical vulnerability on the Bitcoin app has been reported by Mycelium, but if you read further in the text there is list of security improvements included in firmware 1.5.5. One of them is Critical security fix on the Bitcoin app, so this is fixed and I do not see why is problem for you to update new firmware?

This critical vulnerability is reported by Sergey Lappo Mycelium software engineer (former), so best way to find out details about it is to contact Sergey or Ledger, but I doubt they want to publicly reveal what exactly was vulnerability in Bitcoin app.


Always add source link in post, otherwise it can be considered to be a plagiarism.

https://www.ledger.fr/2019/01/16/ledger-releases-a-new-nano-s-firmware-update/

[ragnar dannesk gold]

I did read it carefully, and nothing in my post contradicts that. My post makes it explicitly clear that I am aware that a firmware update exists 'fixing' this issue.

but I doubt they want to publicly reveal what exactly was vulnerability in Bitcoin app

If there vulnerability has been fixed, why wouldn't they want to reveal the vulnerability?

Here is a link to murzika's post (Ledger CEO) explaining 3 weeks ago that they will share details about it 'in the coming weeks':

https://www.reddit.com/r/ledgerwallet/comments/agjknw/ledger_releases_new_nano_s_155_firmware_update/ee9olpq/

murzikaLedger CEO - 21 days ago
The vulnerability doesn't expose the private keys so there is no need to do anything. We'll share details about it in the coming weeks.

I am simply asking where that update is.

[NeuroticFish]

If there vulnerability has been fixed, why wouldn't they want to reveal the vulnerability?

Because (too) many didn't update their firmware yet and most probably will not do that for quite some more time.
Please correct me if I am wrong, but if one uses Ledger only to sign his transactions he may not start Ledger Live hence not get the news that a new firmware is out.

[Lucius]

ragnar dannesk gold, you say "I am reluctant to update firmware", so I assumed that you have some doubts regarding this critical vulnerability. The mere fact that it is fixed should be enough for most of users, but I fully understand your interest in finding out more about this issue.

As NeuroticFish say, and it is also mentioned in that Reddit post, many users did not update firmware and for that reason Ledger is not publishes details about Bitcoin App critical vulnerability. It is also true if Ledger is used with some other wallet (Electrum), such users can not be notified that new firmware is out.

Edit :

I just open my Ledger Live and update to latest version, but when I check Manager it shows Bitcoin App version 1.3.2, and Ledger says latest version should be 1.3.4. Is this app maybe available only on 1.5.5 firmware? I still have 1.4.2, but I think this should not be a problem.

[bitmover]

This one more reason to use Electrum instead of ledger app.
Electrum is far more tested and trusted. Additionally, you have much more control over transactions with Electrum than with ledger app.

[bob123]

This one more reason to use Electrum instead of ledger app.
Electrum is far more tested and trusted. Additionally, you have much more control over transactions with Electrum than with ledger app.

The software you use to communicate with the ledger does (most probably) NOT have any influence on exploiting this vulnerability.

It is the bitcoin application (on the ledger) which is (or better: was) vulnerable, not ledger live (which is just the GUI to access the ledger nano s).
Electrum itself is also communicating with the bitcoin application (on the nano s), just as any other GUI is.


@OP:
You are right that updating the firmware can be risky regarding the security.
But the nano s is verifying the signature of the update before installing. If it is not signed by ledger's (the company) key, the installation will fail.

So, feel free to update the firmware. You are running a greater risk not updating it, than when updating it.
But make sure to have your seed properly backed up.

[TryNinja]

I believe this was the vulnerability: How (not) to lose your life savings while paying for a coffee with your Ledger Hardware Wallet

A brief description of the issue:

If your wallet was compromised It might have had an ability to trick your Ledger Hardware Wallet into sending funds from all your accounts to the attacker’s wallet while you were sending just a small amount from one of them - without anything hinting at something being wrong on the hardware wallet.

Also from the article above:

Hey, stop. I’m a Ledger user and have 1 billion dollars on there! Should I be worried?

In fact, you shouldn’t if you updated your wallet to the latest firmware recently. The fix was released in December (it’s possible to only update BTC app instead of upgrading whole firmware) and updated firmware with new BTC app was released in January.

Here is a video demonstrating it: Bug in Ledger Wallet

[Lucius]

I just open my Ledger Live and update to latest version, but when I check Manager it shows Bitcoin App version 1.3.2, and Ledger says latest version should be 1.3.4. Is this app maybe available only on 1.5.5 firmware? I still have 1.4.2, but I think this should not be a problem.

I need to quote myself since there is no answer to my question. I still no see that is possible to update only Bitcoin App from version 1.3.2 to 1.3.4 with old 1.4.2 firmware.

Also in which way and how Ledger Nano S can be compromised so such attack can be successfully executed? Is hacker need physically access the device or it can be done remotely?

[TryNinja]

Also in which way and how Ledger Nano S can be compromised so such attack can be successfully executed? Is hacker need physically access the device or it can be done remotely?

The attack comes from an infected/malicious wallet/device. Take a look at the article; I think it describes well.

About your issue, try contacting Ledger’s support.

[HCP]

I need to quote myself since there is no answer to my question. I still no see that is possible to update only Bitcoin App from version 1.3.2 to 1.3.4 with old 1.4.2 firmware.

Most likely the 1.3.4 app is reliant on underlying changes in the 1.5.5 firmware... so the app is likely to only show in the manager if you update.

Also in which way and how Ledger Nano S can be compromised so such attack can be successfully executed? Is hacker need physically access the device or it can be done remotely?

It required that the software wallet on your PC/phone/tablet you were using in conjunction with the Nano S/Blue was setup to exploit the flaw... in the video linked above (and associated article), the actual developers of Mycelium (who responsibly reported the flaw) had purposely coded a version of their wallet that could create data packets that fooled the device into only showing address + fee + amount... while hiding all the other "change" outputs.

If you don't have a requirement to have multiple coin apps loaded on your device, I'd advise to update to the 1.5.5 firmware... and then you won't have to worry about this issue. You'll just be restricted to a couple of coin apps due to the space issues with the latest ETH app

[Lucius]

Most likely the 1.3.4 app is reliant on underlying changes in the 1.5.5 firmware... so the app is likely to only show in the manager if you update.

Ledger clearly says on its site :

For security reasons, it is strongly recommended to update your device. However, if you do not wish to update your device for the moment, please make sure you do update the Bitcoin app to version 1.3.4.

This is a very clear statement to me that users who do not want to update firmware, for security reasons can only update Bitcoin app to version 1.3.4. This is obviously wrong instructions for users, because I try with latest Ledger Live app and it always show Bitcoin app 1.3.2.

If you don't have a requirement to have multiple coin apps loaded on your device, I'd advise to update to the 1.5.5 firmware... and then you won't have to worry about this issue. You'll just be restricted to a couple of coin apps due to the space issues with the latest ETH app

Personally I have no problem with number of apps on Nano S, and I do not use ETH app. I done update to 1.5.5, so this problem is solved for me, and latest Bitcoin app is now 1.3.7 + Ledger Live 1.4.1.