15-year-old cracks popular crypto wallet

in cryptocurrency •  7 years ago 

A young Brit named Rashid has found a way to outwit hardware wallets manufactured by Ledger for criminal purposes.
The small crypto currency wallets of the French company Ledger promise to be safe against unauthorized manipulation. According to the manufacturer, the devices in size of USB sticks were sold millions of copies worldwide. However, 15-year-old Briton Saleem Rashid has now proven that there is a way to manipulate the cryptocurrency purses and deduct Bitcoins, ethers or other cryptocurrency units.

Minimalist malware
As Ars Technica reports, Rashid managed to outsmart the Ledger products Ledger Nano S (purchase price around $ 100) and Ledger Blue (around $ 200) with only 300 bytes of code. Rashid takes advantage of the design of the hardware wallets. The vulnerability sits in the communication between a secure microcontroller and a second microcontroller, which is needed to enable the communication of Ledger products via USB and the operation via OLED and push buttons.

Bad cleaning ladies
The hack consists of injecting a new, manipulated firmware that creates access codes given by the attacker. This would allow an attacker, for example, to redirect cryptocurrency transfers to the attacker's wallet or even modify transferred totals. To bring the manipulated firmware update on the device, of course, you need physical access to it. As Rashid describes on his blog, a so-called "Evil Maid Attack" would be conceivable. Someone who has only a short access to the Ledger product - such as a malicious cleaning lady - could perform the firmware update.
Manufacturer appeased
Rashid informed Ledger about the vulnerability back in November. The company has since delivered a firmware update that blocks Rashid's accessibility. According to Rashid, the fundamental problem lies in the hardware architecture of the devices (and its two microcontrollers). Similar attacks can be relatively easily reproduced in his opinion. Meanwhile Ledger stresses that the gap found by Rashid is not critical.

"Hacker-genius"
Security researcher Matthew Green of Johns Hopkins University (also mentioned in another context on futurezone) has analyzed Saleem Rashid's work and spoken to the British. As for Rashid's performance, he says, "He's one of the most talented 15-year-olds I've ever dealt with, a true hacker genius, what he did is clever, creative and devastating, and that's when he turns out to be in reality a 35-year-old, he would still be really talented, but my trust in humanity would be disturbed. "

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @princefrombelair! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received
Award for the number of upvotes

Click on any badge to view your own Board of Honor on SteemitBoard.

To support your work, I also upvoted your post!
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

Congratulations @princefrombelair! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Do not miss the last post from @steemitboard:

Are you a DrugWars early adopter? Benvenuto in famiglia!
Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Congratulations @princefrombelair! You received a personal award!

Happy Steem Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!