Update Firmware on Ledger ASAP - Exploit Found Again

in bitcoin •  7 years ago 

This wallet has the most cryptos but also the most security holes. Update needed again.

15-year-old teen found this hole while doing some research. If one has physical access to Ledger can extract all private keys.

Whole paper here: https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

The attack is shown here:

Visit his website to give him some love: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/ the guy is a genius.

UPDATE FIRMWARE ASAP!

Follow, Resteem and VOTE UP @kingscrown creator of http://fuk.io blog for 0day cryptocurrency news and tips!

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Nice

This is why it's good to be tech-savvy: to not have to rely on overhyped gadgets to take care of your funds

If you have ANY significant amount of money in crypto I’d recommend getting a cheap laptop, multiple USBs and doing it by hand. Install Linux on the laptop, download wallets there and then keep the thing offline unless you need to access funds!

Use the USBs to backup wallets, encrypt the drives and store one at home and one in a safety deposit box. It’s a lot of work but if you have five or six figure crypto accounts it’s worth it.

The best way is to get multiple hardware wallets and spread evenly the fund over it. Protect well for the physical wallets though.

Hardware wallets can be hacked either before being sold to you or in transit. If you create one yourself it’s much more secure and virus resistance since you can forgo using insecure operating systems.

Not if you buy one from the official site with anti-tampering seal, like Trezor.

Again you’re still stuck trusting the computer you use to setup and access Trezor. Why not skip the middle man? Plus can the seal be faked? Do you trust the company to remain reputable?

  ·  7 years ago (edited)

Well, thats the point.
Their source code is open source in Github and under everyone's eye. If you dont believe the firmware comes with it, review the code, build the firmware and flash in to the device.

I truat nobody but the power of decentralization. Now tell me what else is making you worry?

The hardware is more what I’d think they’d target. It’s harder to detect.

  ·  7 years ago (edited)

That is what this discussion started with: get a Trezor from official site with seal. Reflash the firmware if you are this cautious.

FYI I have a huge chunk of my net worth inside one of it, I have no lesser concern than you on the security issues.

I shall thank you if you can pointing out any better options over hardware wallet, which so far you have not. Please feel free to enlighten me further.

So, I just upgraded a few days ago. Does this mean another update is already req'd? Or is 1.4.1 good for now?

I was on the fence about switching to a Trezor because of the experience I had with updating to 1.4.1 and the limitations of how many apps you can use. 1.4.1 added a lot more apps but this is the last straw, ordered a Trezor and will swap it out.

That is why crypto still needs improvement

even after 3 days plus consulting ledger support i could not finish the update.

WARNING! The comment below by @blockchainfiend leads to a known phishing site that could steal your account.
Do not open links from users you do not trust. Do not provide your private keys to any third party websites.

@kingscrown I can only say that your post is very useful for me success for you.

This is a fantastic post I liked

The security holes is what i like in the wallet
What a great idea
Keep it up
Resteemed

Worth shelling out the extra money for a new ledger. Don't buy used. Cold storage is still far safer than any other online or exchange wallet.

Thanks a lot
Only God can reward you

15-year-old teen found this hole while doing some research. If one has physical access to Ledger can extract all private keys.

These kids cannot just be put aside, they are really so intelligent and amazing

Congratulations @kingscrown, this post is the seventh most rewarded post (based on pending payouts) in the last 12 hours written by a Hero account holder (accounts that hold between 10 and 100 Mega Vests). The total number of posts by Hero account holders during this period was 393 and the total pending payments to posts in this category was $4957.92. To see the full list of highest paid posts across all accounts categories, click here.

If you do not wish to receive these messages in future, please reply stop to this comment.

yeahhhh i have a feeling that these are like your phone you dont upgrade to the newest version to fast...

maybe this is what we need to keep so that other than ourselves can not open the password, it seems bitcoin and the like business is very promising at this time

Only 15 years old and allready breaking big things, he will succeed for sure
Thanks for sharing

Sure.Needs update again.