Ledger claimed that the recently uncovered vulnerabilities in their hardware wallets are not critical.
In the post, the company explains that there appeared to be “three attack paths which could give the impression that critical vulnerabilities were uncovered,” but according to them “this is not the case.”
The reason Ledger says that the vulnerability is not critical is that “they did not succeed to extract any seed nor PIN on a stolen device” and “sensitive assets stored on the Secure Element remain secure.”
According to the company, the Ledger Nano S vulnerability “demonstrated that physically modifying the Ledger Nano S and installing malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin (BTC) app is launched.”
This, Ledger claims, is “quite unpractical, and a motivated hacker would definitely use more efficient tricks.” While the researchers claimed that the vulnerability allowed them to “send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves” Ledger denies its, stating:
“Their firmware runs snake on the MCU in Bootloader mode. This means that you have to push the left button at boot and the Secure Element does not even boot.”
Ledger also claims that the demonstration of the Ledger Blue attack is “a bit unrealistic and not practical,” claiming that “the position of the receiver and the attacked device must be exactly the same, the position of the USB cable is also paramount (as it acts as an antenna).”
The post stated that “if the conditions are not exactly the same, the machine learning classifier won’t work properly.” For this reason, Ledger concluded:
“This attack is definitely interesting, but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).”
Furthermore, because of this vulnerability, Ledger stated that the next Ledger Blue firmware update will feature a randomized keyboard for the pin.
The company also stated that they “regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.” According to Ledger “in the security world, the usual way to proceed is responsible disclosure. This is the model in which a vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users.”
In November, Ledger announced its expansion to New York in order to develop its institutional custody offering Ledger Vault. Moreover, the company also recently signed an agreement with crypto payment startup Crypto.com to allow users to pay for its products with cryptocurrencies.
source : cointelegraph.com
▶ ‘에이코인(ACOIN)” 은 전 세계 오프라인 금거래 시장에서 금의 안전한 거래를 위해 사용하는 프로토콜 암호화폐이며, 코인월드 에이코인(ACO) 전용마켓 오픈 예정
▶ 한미중일 4개국 합자투자로 탄생한 코인월드, ‘에이코인'(ACOIN) 국내 최초 상장 협의중으로 4/16 사전 예약 실시
▶ Coin world, ACOIN listing Discussion
▶ Cryptocurrency exchange coin world, advance booking on next 16th