5 stars based on
Yet Saleem Rashida year-old security researcher from the United Kingdom, discovered a way to acquire the private keys from Ledger devices.
Rashid found that an attacker could compromise the insecure processor the microcontroller on Ledger devices to run malicious code without being detected. White said he was impressed with the elegance of the proof-of-concept attack code, which Rashid sent to Ledger approximately four months ago.
A video of Rashid demonstrating his ledger wallet blue amazon is below. Rashid said Ledger initially dismissed his findings as implausible. But in a blog post published today, Ledger says it has since fixed the flaw Rashid found — as well as others discovered and reported by different security researchers — in a firmware update that brings Ledger Nano S devices from firmware version 1.
Guillemet said Nano-S devices should alert users that a firmware update is available when the customer first plugs the device into a computer. Rashid said unlike its competitors in the hardware ledger wallet blue amazon industry, Ledger includes no tamper protection seal or any other device that might warn customers that a Nano S has been physically opened or modified prior to its first use by the customer.
Asked whether Ledger intends to add tamper protection to its products, Guillemet said such mechanisms do not add any security. This entry was posted on Tuesday, March 20th, at 1: You can follow any comments to this entry through the RSS 2. Both comments and pings are currently closed. Very impressive crypto work for a 15 year-old.
Hence their claims that you can buy your nano from untrusted sources, they always have a way to verify the secure element has not been tampered with. And if proved to be genuine they can always safely upgrade the secure element firmware which they do with this 1.
The only open question is if this secure element firmware 1. It for sure make it even harder than it was on 1. I believe the statement: Not acquire it from the device. But only to install a keylogger on the MCU, which would capture the pin once the user enters it, then silently approve any transaction sent to the device. But you still need to connect your nano to a computer that would send evil transactions to it i. The only way he could acquire private keys is if the user was to restore a valid seed on a compromised device.
And even then the captured key now sitting on the MCU still needs to be acquired by the attacker in some way. And I can safely use it knowing it is genuine even if an attacker did get physical access to it even If I bought a used one on ebay.
Any random number generator use in such devices should seed from a radioactive dab of radium or the like. Your idea could work, but the regulatory challenges necessary to obtain a specific license to incorporate an exempt quantity of radioactive material into a device for commercial distribution, including mandated safe packaging and labeling requirements, would not be cost effective or worthwhile if background radiation could be used instead.
Still additional circuitry would be necessary also driving up the cost. There are true random number generators available on ledger wallet blue amazon web which use natural phenomena as ledger wallet blue amazon source, e.
This is a good example of why everything should be open source; something that can be learned from the crypto world, where, as far as I know, everything is open to scrutiny, many projects even offering bounties. If we can modify the user interface, we can change the recovery seed that is generated during the onboarding process. This is quite easy since the user interface is open source and Ledger allows you by design!
All I understood is that maids can be evil. Been like this for over 10 years since I started reading news articles about computer security. How about giving all the software and hardware unique twists for the individual user, such that the odds of anyone being in control of the equipment, would be overwhelmingly you alone as a user.
By ledger wallet blue amazon time anything intelligent is learned about this computer, it would have changed into something else, layered processes, and ledger wallet blue amazon created software that does not rely on simplicity and speed, but on sufficient intricacy.
Basically, ledger wallet blue amazon critical processing features of such an entire computer being indistinguishable from being a one way function, from core and out ofc, not being a single piece of code. Why would they not have ledger wallet blue amazon generating the random numbers on the secure chip to begin with? Sure, but better yet: Any communication allowed between them opens ledger wallet blue amazon for trouble.
That over-priced device uses a Tunnel Diode as the noise source or sources. Zener diodes work too when they avalanche. You can make one of these at home provided ledger wallet blue amazon do a bit of learning first. Great article yet again! I find it so interesting when people especially children figure out how to do to such things. Do most of you create online accounts for these websites?
I try very hard NOT to create additional accounts, but then I think if someone malicious creates an account in my name then i will not be able to create my account later on. Credit bureaus should have more breaches. Follow me on Twitter. Join me on Facebook.
Krebs on Security In-depth security news and investigation. March 20, at 1: This kid should be working for the N. March 20, at 7: I am sure he is smart enough not to. March 21, at 4: March 21, at March 20, at 3: March 20, ledger wallet blue amazon 4: Try on new firmware 1.
March 21, at 9: March 20, at 6: Even if a device is fully open source, it will still be manufactured in China. March 20, at 9: March 20, at April 10, at This Web site works perfectly as-is when I use my phone. March 21, at 7: No chance of Zagons tampering with the interocitor. March 21, at 3: March 21, at 8: All they have to actually do is move seed generator to secure chip.
But nice work, kid! From my understanding there is no such thing as a Truly Random Number Generator. March 22, at March 22, at 4: March 23, at 9: Am I the only one who is a little bit surprised by the pompousness of the Ledger devs?
March 23, at March 25, at 5: Keep leaking data, and your ledger wallet blue amazon increase! March 27, at 6: Your email account may be worth far more than you imagine.