Hardware wallets OLED Display Vulnerability[Trezor One, Ledger Nano S/X, etc.]

[GreatArkansas]

This vulnerability is on Trezor One only for hardware wallets of Trezor, Ledger Nano S and Ledger Nano X, but...  
This vulnerability also is found on some have a similar feature on OLED display which includes many hardware wallets. So, check your hardware wallets now if they are affected on this OLED display vulnerability.

What will be the possible action of the attacker?

The attack requires device owners to use USB equipment that has been physically manipulated by an attacker. In other situations, users are not impacted...
An attacker has to trick the targeted device owner into performing sensitive device actions with some sort of malicious USB equipment connecting the Trezor One and the computer.

Recommended to do with your hardware wallets:
For Trezor One:
If you have your Trezor One, it is much better to update your firmware to the latest one which is v1.8.2, updating to the latest version will mitigates the issue.
If you also have any Trezor wallet with a different model, it is still much better if you will update your firmware into the latest one, even the Trezor team also suggest that.
Make sure you have the back-up of your correct recovery seed before updating the firmware.

Read more about the vulnerability here: https://blog.trezor.io/details-of-the-oled-vulnerability-and-its-mitigation-d331c4e2001a

For Ledger Nano S and Ledger Nano X:
Ledger already released their article about the OLED screen vulnerability which can be found here: OLED screen (minor) vulnerability.
Which they leave a statement of updating the firmware for the upcoming firmware updates to be released in Q4 2019..

As always, users of Ledger Nano S and Ledger Nano X should update their hardware wallets with upcoming firmware updates, to be released in Q4 2019. We further recommend users to set up their hardware wallets by themselves, in a safe place, and storing the recovery phrase securely.

Also thanks for Christian Reitter, an independent security researcher who found this vulnerability.

[1713917946]

1713917946

[HCP]

Wow, these "vulnerabilities" are getting more and more obscure... how crazy that the power draw to display a line of pixels can be "abused" to the point where you can use it as an attack!!?!

Thanks for the notification. Will go update the Trezor

EDIT: Can confirm that you need to use beta-wallet.trezor.io for the new firmware to show up. Otherwise, it updated without wiping for me, so I didn't need to re-enter the seed or anything. Seems to work as described... random white pixels showing up on the screen:

[Boriss]

I still don't understand how could user be affected by this discovery even without updating to the latest firmware?

It is clearly stated that they aren't aware of any equipment that could actually do something like that to Trezor wallet or any hardware wallet with that kind of display.
They say that Trezor wallet don't need to be tampered and also that equipment needed for this kind of attack cannot be found in any circuitry available on USB or PC, only in electronic labs for example oscilloscope etc... So you can only do something like this in controlled environment to have any chance of success.

"This attack is possible without any modifications to the hardware wallet itself, but requires unique components that are typically not present in USB circuitry."

Lots of smoke for nothing.

[GreatArkansas]

EDIT: Can confirm that you need to use beta-wallet.trezor.io for the new firmware to show up. Otherwise, it updated without wiping for me, so I didn't need to re-enter the seed or anything. Seems to work as described... random white pixels showing up on the screen:
https://i.imgur.com/dTMdb2u.png

Version 1.6.1 and below then update to version 1.6.3 only wipes the device memory as stated in the article, those random pixels on the screen is much better, like for security porpuses, it looks like an additional design for the interface, but overall it is much better especially to secure our hardware wallets.

I still don't understand how could user be affected by this discovery even without updating to the latest firmware?
It is clearly stated that they aren't aware of any equipment that could actually do something like that to Trezor wallet or any hardware wallet with that kind of display.

But the only possible way that can an attacker do is to manipulate the USB connecting to the Trezor One and the computer. They are really not aware, what the user can use to connect their hardware wallet, like the USB cable connecting it to your computer or OTG cable to mobile phones.

[Lucius]

I would agree that this is minor vulnerability, and that users of hardware wallets have no reason to worry too much, this kind of attack is very complicated, and hacker should need to modify your USB cable.

Many of such vulnerability that were found in the past require physical interaction with hardware wallet, so if users follow recommended security practices the actual danger is actually very small. The real danger is actually elsewhere, just check Ledger Reddit and you will see how many users is lost coins in last few days by entering their seed in fake tools presented by fake Ledger support accounts.

[AB de Royse777]

Thanks for the heads up. I will be updating my one (Ledger Nano S) today.

Scammers are creative I have to say. They are doing possibly everything to seal the funds people have. Shame.

[GreatArkansas]

I would agree that this is minor vulnerability, and that users of hardware wallets have no reason to worry too much, this kind of attack is very complicated, and hacker should need to modify your USB cable.

Even Ledger says that it is minor since they don't conduct immediately update for their firmware, unlike Trezor.

Thanks for the heads up. I will be updating my one (Ledger Nano S) today.

Sad to say, Ledger doesn't have any immediate updates about this, as said on their article, it will be on Q4 2019.

[Pmalek]

I don't think this is a big concern really. To be affected by this you would need to purchase a modified USB cable so that this attack could be performed.
As long as you don't purchase USB cables for your hardware wallets from third parties you are safe. Unless someone from Ledger supplies you with a modified cable but that is a whole other story... 

Thanks for the heads up. I will be updating my one (Ledger Nano S) today.

If you are already using firmware version 1.5.5 there is no newer update for now. Just use the cable that came with your Ledger device.

[AB de Royse777]

If you are already using firmware version 1.5.5 there is no newer update for now. Just use the cable that came with your Ledger device.

Not sure about it yet. I will check the firmware later today. By the way, I always used the cable that came with the original device. I am sure I am safe here.

Honestly speaking, this kind of scam is very hard to be a success. Only possible if someone is very close to you who knows you and have access of your cables.

[erikalui]

I have an update notification in Ledger live so will update it soon. They mentioned you need to use the USB that was tampered by the attacker so we aren't using that. I use the USB that came with the wallet and not any other USB cable so I am still safe right? 

[Rath_]

I use the USB that came with the wallet and not any other USB cable so I am still safe right?  

Yes, you are. Anyway, in Ledger's case, you don't have to worry about it when using a wallet normally. The only thing that theoretically could be obtained by an attacker is your PIN code. People who want to generate a new seed or restore the old one, should connect their wallets to a wall charger or use the built-in battery (Nano X). It's very unlikely that you will be targeted now. I would not worry about it.

[bitmover]

The real danger is actually elsewhere, just check Ledger Reddit and you will see how many users is lost coins in last few days by entering their seed in fake tools presented by fake Ledger support accounts.

Yes, I even mentioned this attack here

I saw this on Reddit. Some people robbed already
https://www.reddit.com/r/ledgerwallet/comments/cj9xo0/new_ledger_bot_trying_to_obtain_private_key_and/

Those attacks where the hacker needs physical contact with the ledger are unlikely to happen,and I agree that hardwallet users shouldn't worry.

Sadly phishing attacks are getting more sophisticated everyday, as the Electrum 4.0 phishing update and this ledger bot.

The biggest vulnerability exploit on hardware wallets are its users , which can be phished . Sadly.

[o_e_l_e_o]

So for this attack to be successful, an attacker would need the technical knowledge to build such a device, shrink it to a size that would fit inside a USB cable, physical access to my house to switch out my USB cable without me knowing about it, wait for me to use my device, and then physical access to my house a second time to retrieve the altered USB cable with the data stored within?

Surely if they have both the technical knowledge and the physical access to do all that, it would be far easier for them to just install a hidden camera to watch me type in my PIN? This isn't a vector of attack I am going to be getting too worried about.

[bkbirge]

This is the kind of exploit you only see happen in movies.

[erikalui]

Yes, you are. Anyway, in Ledger's case, you don't have to worry about it when using a wallet normally. The only thing that theoretically could be obtained by an attacker is your PIN code. People who want to generate a new seed or restore the old one, should connect their wallets to a wall charger or use the built-in battery (Nano X). It's very unlikely that you will be targeted now. I would not worry about it.

Thanks! Even if they don't connect it to a wall charger, they should be safe as nobody has been hacked due to this vulnerability till now. With the upcoming update, this possibility also will be ruled out anyway.

[HCP]

This is the kind of exploit you only see happen in movies.

Exactly... a lot of these exploits, while being possible, are highly improbable of actually being able to be used.

It's a bit like the possibility of being hit by a meteorite while walking down the street is non-zero, but highly improbable... so you will quite happily walk down the street without worrying too much about it. Same goes for a lot of these hardware wallet hacks. They're "possible", but "improbable"...

I really doubt someone is going to break into my apartment building, then break into my apartment, then swap out the one USB cable I use for my hardware wallet (out of the 5 on my desk) etc... I'm more worried about getting hit by meteorites tbh

[PrimeNumber7]

I still don't understand how could user be affected by this discovery even without updating to the latest firmware?

This is really an edge vulnerability, and most likely the majority of users keeping even large amounts by personal standards are not at serious risk of the loss of coin.

The specific type of display the Trezor One uses will consume different amounts of power depending on how many pixels are displayed on the screen. The Trezor One display will also start to display one line of pixels at a time with each subsequent line being displayed fractions of a second after the prior line. This means someone monitoring the power consumption of your Trezor One can determine how many pixels each line your Trezor One is dissplaying at a time. An attack could use this information to reasonably guess what is being displayed on your Trezor's screen.

If you were creating a new seed with your Trezor One, an attacker could learn the seed words, and the position of each word that the Trezor One displays. An attacker could also know which row each number is displayed on your Trezor One when displaying the numbers when you enter your PIN; this will allow an attacker to learn your PIN if they monitor your Trezor One's power consumption and monitor your computer after you enter your PIN multiple times.

In order for this attack to be successful, an attacker must have physical access to your computer, and they must install specialized equipment in your computer without you noticing. The attacker must compromise your computer *before* you use your Trezor One on the computer, and cannot learn any information after the fact.

This attack would be specifically targeted to its potential victims. The vulnerability has already been patched with new firmware that instructs the Trezor One to display additoinal random pixels that makes this attack vector moot.

[klaaas]

It is a good thing people test these devices and discover flaws like this. Thanks for posting this op.

I really doubt someone is going to break into my apartment building, then break into my apartment, then swap out the one USB cable I use for my hardware wallet (out of the 5 on my desk)

And it needs to match your cable ; )   
My best guess, may someone want to abuse this they will give out the cables for free.
Dont plug stuff in your computer from unknown sources.

[Pmalek]

I have an update notification in Ledger live so will update it soon. They mentioned you need to use the USB that was tampered by the attacker so we aren't using that. I use the USB that came with the wallet and not any other USB cable so I am still safe right? 

A malicious person would have to produce a lot of these fake USB wallets and be on the look-out for owners of hardware wallets. In case your original USB
cable stops working and you make an ad to try and purchase a replacement cable he could try and sell you one of his.
But still he would need to get physical access to your hardware wallet after you used his cable already. Why go through all the trouble, seems to me that a baseball bat could be more effective 

The only real danger here is getting targeted by someone close to you, a family member or friend who also has access to your home and who could do the swap in case he wants to rob you. 

[Saint-loup]

This is the kind of exploit you only see happen in movies.

No I'm sorry, but there is a real danger for the exchanges and the custodial wallet providers if they are using those devices for their cold wallets. Some "evil maids" or employees could use this vulnerability.