SECURITY: ATENTION : Ledger Addresses Man in the Middle Attack That Threatens Millions of Hardware WalletssteemCreated with Sketch.

in security •  7 years ago 

Hardware wallet manufacturer Ledger, which sold over one million devices last year, has alerted its users to a major attack vector that’s recently been discovered. Although there are no reported cases of the attack being successfully deployed, the threat itself is very real. Today, Ledger urged users of its cryptocurrency wallets to take steps to avoid falling prey to the address spoofing attack.

Beware the Man in the Middle

Hardware wallets are regarded as one of the safest means of storing bitcoin and other cryptocurrencies. The USB cold storage devices eliminate the sort of attack vectors synonymous with being connected to the web. But to send funds or issue a receiving address, a hardware wallet has to be plugged in to an internet-enabled device, and researchers have discovered a vulnerability that affects Ledger devices at this stage. A newly published report reveals the way the MiTM attack would play out. It explains:

Ledger wallets generate the displayed receive address using JavaScript code running on the host machine…malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.

The attack, if executed, would leave the victim unaware at first that anything was the matter. To prove the the vulnerability is real, the report’s authors have posted a proof of concept that demonstrates the attack in action. The severity of the attack is heightened by the fact that, with Ledger’s wallet software stored in the AppData folder, it is relatively easy for malware to modify the receiving address. As the report notes, “All the malware needs to do is replace one line of code…this can be achieved with less than 10 lines of python”.

Ledger Addresses Man in the Middle Attack That Affects Millions of Hardware Wallets

A Solution of Sorts

To avoid succumbing to this attack, there is a means of verifying the receiving address is correct, as the report explains, and as Ledger acknowledged in a tweet earlier today:

Ledger Addresses Man in the Middle Attack That Affects Millions of Hardware Wallets

This solution, while effective, is not failsafe in that it’s reliant on the user remembering to follow this procedure every time they transact. As the report points out, “A proper solution would be to [force] the user to validate the receive address before every receive transaction, just like the wallet [forces] the user to approve every send transaction”.

That’s the system that Trezor now uses with its hardware wallets, mandating the use of 2FA simply to access the receiving address. It is hoped that Ledger will follow suit in updating its devices to adopt this methodology. Hardware wallets are still significantly safer than leaving funds stored on a centralized exchange, but no solution is entirely foolproof, as the Ledger case demonstrates.

Do you think this vulnerability is cause for concern and do you think Ledger should enforce 2FA to resolve it? Let us know in the comments section below.

Images courtesy of Shutterstock, and Ledger.

Need to calculate your bitcoin holdings? Check our tools section.

source


Click on the VOTE and get your the reward $ after in 7 days

............................

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @a-blockchain! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You published 4 posts in one day

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Thanks so much for information dear @steemitboard

LedgerHQ Ledger tweeted @ 03 Feb 2018 - 12:34 UTC

To mitigate the man in the middle attack vector reported here docdroid.net/Jug5LX3/ledger… (affecting all hardware walle… twitter.com/i/web/status/9…

Disclaimer: I am just a bot trying to be helpful.

Just thanks dear bot @twitterbot

ELECTRUM WATCHER WALLET WITH DISTRO - NOTHING SAFER...

Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://news.bitcoin.com/ledger-addresses-man-in-the-middle-attack-that-threatens-millions-of-hardware-wallets/

Awesome I just purchased a Nano-S and now I find out that they are not entirely safe. It just goes to prove that as long as we adhere to a money and capitalist society there will always be people looking to steal what others have to get even. When I think about all the time, effort and resources and my life that are wasted dealing with this Bullshit when I or we could be doing other things more productive and satisfying I just get the feeling I want to blow up the World and end the madness...bombs away!

The wallet knows the complete exchange protocol before it begins. If anything needs checking, then he wallet does the checking using a secret verification code. This is not ringed fence, there are no trusted escrow routers.

If you buy a hardware wallet, look at the instruction sheet.

Does the wallet require you to go to a urine infested alley and meet and shady guy in the middle? If so, reject all those transaction protocols and get an intelligent wallet.

Sure, Ledger should mandate use of 2FA, as well as any other manufacturer of hard wallets. Not sure if Keepkey uses 2FA. We can use all the help we can get. Great day everybody.