Many people invested in cryptocurrency opt for hardware wallets to further secure their coins, considering the increasing number of attacks on online wallets and exchanges. It appears that you can't relax even if you have bought a hardware wallet as attacks follow you there, as well. Researchers have revealed a security vulnerability in hardware cryptocurrency wallet manufacturer Ledger that affects all its devices. The flaw can enable attackers to steal Ledger users' funds by replacing one line of code.
"Crypto wallets consist of a private key for spending funds, and a public key for receiving funds," security researchers wrote [PDF]. "Modern Crypto clients usually create a new receive address after every transaction. This is done to better protect the privacy of the user, by spreading his funds across multiple addresses, rather than one."
Researchers warn against man in the middle attacks that could divert Ledger user funds to attackers
The problem gets worse, since any unsophisticated malware that doesn't even have admin rights can modify the code as the Ledger wallet software is located in the AppData folder. Researchers also shared further concerns about this lack of authentication on Ledger's part (emphasis is ours):
- The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, meaning they can be modified by anyone.
- All the malware needs to do is replace one line of code in the ledger software, this can be achieved with less than 10 lines of python code.
- New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.
- The attack changes the receive address during its generation, causing even the automatically generated QR to be updated to the attacker’s address. Meaning that both the string and QR representations of the address are compromised.
Existing users of Ledger who are using the Bitcoin App can choose to verify the integrity of the receive address by clicking on the small monitor button on the bottom right of the receive screen. Tapping on this button makes the receive address show up on the hardware wallet's screen. Researchers wrote that this should be a requirement, not an undocumented feature that many users aren't even aware of.
However, this mitigation isn't offered on Ethereum App and possibly other apps, which means users there cannot use this method to verify the address.
Ledger's response raising concerns among users
In their report, researchers said that in response to their private disclosure, Ledger replied that no fix will be implemented. Researchers added that their "recommendation to enforce the user to validate the receive address" was ignored. Ledger tweeted that this issue cannot be "solved in the absolute".
A malware can always change what you see on your computer screen. The only solution is prevention and building an UX to make the user check on its device. On device verification feature has been added 6 month ago already.
However, not everyone agrees with Ledger's approach of focusing on user awareness alone. "The generated public keys do NOT need to be generated client-side," one tweet said. "There are many companies I have pointed this same issue out to and they have all implemented host solutions and program verifications within a day."
The company also published a blog post today, highlighting some of the concerns raised after that bug report. However, the suggestions coming from that post aren't very reassuring. "If you are using a software wallet which doesn't propose this feature [the monitor button to verify address] we recommend to send a small amount first, and make sure that you have properly received it (verify that your balance has been credited)," the company writes.
While Ledger's security protections remain in question, users are advised to use that monitor button to verify their address and, like Ledger itself writes, understand that "this is not a silver bullet against all possible attacks and you must always verify and double check everything".
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) February 3, 2018