15-year-old finds vulnerability in Ledger cryptowallets

News by Robert Abel

A 15-year-old security researcher discovered a serious flaw in Ledger cryptocurrency wallets that would allow an attacker to siphon the device's private key and drain a user's cryptocurrency account(s).

A 15-year-old security researcher discovered a serious flaw in Ledger cryptocurrency wallets that would allow an attacker to siphon the device's private key and drain a user's cryptocurrency account(s).

The cryptocurrency hardware wallets are designed to physically safeguard public and private keys used to receive or spend the user's cryptocurrencies and are  at times so popular that consumer demand has often outpaced the company's ability to produce them.

Saleem Rashid developed an MCU fooling method in which an attacker with physical access to the cryptocurrency wallets could force the device to sidestep security checks by exploiting weaknesses in a non-secure microcontroller chip which shares information with a secure processor chip, according to 20 March  Ledger blog post.

The attacker can then to upload their own malicious code in order to steal the sensitive data. The company has released a firmware update to address the issues along with an Oracle padding on SCP flaw and an Isolation exploit.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike