Ledger App Isolation Bypass Vulnerabilities

[cryptomaniac_xxx]

I found this this post, https://monokh.com/posts/ledger-app-isolation-bypass.

It's about a supposedly vulnerabilities on Ledger,

The ledger device exposes bitcoin (mainnet) public key and signing functionality outside of the "Bitcoin" app. It presents misleading transaction confirmation requests indicating the selected app's addresses and amounts when in fact different transactions are being signed.

I'm not an expert or anything, but it looks like Ledger hasn't address this issues so far or it is being address right now, it looks like it's taking months for them.

On that expose, you see the Disclosure Timeline.

Disclosure Timeline
18 Jan 2019 - Privacy related aspect of the vulnerability (reading addresses) disclosed to Ledger via report and PoC. (bounty@ledger.fr)
Ledger: Firmware was updated but apps still need to be updated.
Prompted for public disclosure: Bug will be disclosed once apps are updated.
30 Apr 2019 - Disclosed issue unfixed - Ledger contacted for update. No response. (bounty@ledger.fr)
1 May 2020 - Discovered root cause expands to signing functions and can be exploited to steal funds (bounty@ledger.fr)
2 May 2020 - New report detailing bypassing the isolation for signing disclosed to Ledger with new report and PoC (bounty@ledger.fr)
4 May 2020 - Ledger investigating. (bounty@ledger.fr)
10 May 2020 - No response. Follow up. (bounty@ledger.fr)
12 May 2020 - Issue acknowledged - mistakenly at first as only privacy related - set out disclosure timeline (bounty@ledger.fr)
13-14 May 2020 - Exchanges with ledger clarifying severity and awareness (bounty@ledger.fr)
17 June 2020 - Request for update (bounty@ledger.fr) - No response
28 July 2020 - Request for update sent to Ledger Donjon (Twitter DM) - No response
03 Aug 2020 - Vulnerability not fixed or disclosed by Ledger. Public disclosure

[1715451144]

1715451144

[chronicsky]

https://donjon.ledger.com/lsb/014/

One should be very careful when using Hardware wallets(or any for that matter).

do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins.

Code:

Date	Action
2020-05-02	monokh sent to bounty@ledger.fr a vulnerability report about app isolation bypass.
2020-05-04	Ledger’s security team acknowledged the reception and starts investigating.
2020-05-10 to 2020-05-13	monokh and the Ledger security team discussed the issue. Ledger’s security team started coordinating other Ledger teams to fix it. A disclosure date is being set to 90 days (that is, 2020-08-02).
2020-08-02	90 days deadline reached. Ledger started the test and release process for the fixed Bitcoin app.
2020-08-04	monokh published the details of the vulnerability, without informing Ledger’s security team beforehand through bounty@ledger.fr.
2020-08-05	Ledger updated the Bitcoin app.

So much miscommunication.

[TryNinja]

An update with the fix (kinda) is already available on the Ledger Live: https://twitter.com/ledger/status/1291061084435238912

There is now a warning that should make users aware of a potential issue with that.

Here is their FAQ: https://support.ledger.com/hc/en-us/articles/360015738179

[bitmover]

do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins.

I was thinking about how this vulnerability could be exploited, and that's  exactly the case

If you connect your ledge in a third party malicous software, they could steal your btc.
That's kind of serious vulnerability, sadly ledger didn't handle it well..

[hatshepsut93]

First the data breach, now the disclosure of this vulnerability, that seems to have been there for more than a year. Some people would say that Ledger is a bad company, but I think other hardware wallet companies aren't immune from such issues, and in the long run they too will have their share of security failures. What we should learn from this is that there's no simple solutions that can allow users to bypass deeper learning of Bitcoin and security. Bitcoin's decentralized nature makes it have much higher security requirements than its centralized competitors.

[Baofeng]

do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins.

I was thinking about how this vulnerability could be exploited, and that's  exactly the case

If you connect your ledge in a third party malicous software, they could steal your btc.
That's kind of serious vulnerability, sadly ledger didn't handle it well..

This one, we really don't know if they ignore monokh or just totally forgot about it. And know if is out in the crypto social media and it seems too late again reacting. Making them look very bad again.