A security research group called DARKNAVY discovered a vulnerability in Jade hardware wallets with older firmware versions. This problem affects firmware versions
1.0.24 to
1.0.36. Blockstream has already patched the issue and released updates 1.0.37 and 1.0.38. They now recommend that all Jade users upgrade their firmware to the latest version.
About the vulnerabilityThe affected firmware versions allowed a malicious app on your PC or phone or a website you connect to, to send specific instructions to the Jade. The code could be modified and made to reboot the hardware wallet, give the person temporary control of the device, read or modify data on the Jade, and possibly extract private keys.
For this to work, the PC or laptop would have to be infected with the needed malware. Or someone would have to trick you into installing a fake Blockstream App. It could also work if you gave permission to a malicious website to connect to your Jade.
This is not a remote hack. The company has not found any traces of this vulnerability being used in connection with the official Blockstream app. A malicious party can't install a modified version of the firmware on your device, and any changes made to the Jade were reverted after the device rebooted.
The issue didn't affect Jade as a stateless signer when the device communicated through QR codes.
For someone to be affected by this, they would need to install and use malware-infected and fake software on their phone or PC, and malicious code that targets the specific firmware version they have installed on their Jade. From what I understand, there was no generic attack vector that worked on all affected firmware versions and for both the standard and no-Bluetooth firmwares.
Still, Blockstream calls the vulnerability "severe" in their blog post.
You can read the entire disclosure below:
Jade Security Disclosure
