Blockchain security researcher Mohammad Nohbeh discovered potential risks in the Ledger hardware wallet. An attacker could create a transaction that, instead of an altcoin, would debit the first cryptocurrency.
“An attacker could use this method to transfer Bitcoin. Meanwhile, the user would have the impression that a transaction for another, less valuable altcoin (Litecoin (LTC), Bitcoin Cash (BCH) and others) is being executed,” Nohbeh noted.
In other words, a user could send 0.01 BTC with full confidence that they had specified 0.01 LTC.
To support altcoins, a Ledger user must install a separate application for each asset. Of these, only one can be active at any given moment. Nohbeh found that attackers can access apps that are in an inactive state.
Unlocking allows requesting various functions:
- exporting public keys;
- signing messages;
- confirming transactions.
“It has been found that for Bitcoin and its forks the device exposes functions when handling any asset. Unlocking the Litecoin app will trigger a BTC transfer confirmation request, while the interface will display the BTC transfer and the LTC address. If you approve the request, a fully valid signed transaction will be sent to the Bitcoin mainnet,” Nohbeh noted.
Until updates arrive, he recommends disabling the altcoin apps in the Ledger Live catalog.
The expert stressed that he had informed the company’s specialists about the vulnerability, but within three months it had not been fixed.
Ledger acknowledged the problem and promised to release an update that would implement a warning display about the detection of an unconventional path to executing a transaction. They noted that a lock could solve this problem, but it could lead to freezing assets that users would no longer be able to use.
UPDATE: The vulnerability has been fixed — the company has released a software update.
The Bitcoin app that fixes the issue in Bitcoin derivative apps is available — for Nano X and Nano S. You can update your app on Ledger Live now.
— Ledger (@Ledger) August 5, 2020
Earlier Ledger reported a data breach affecting millions of users due to the discovered vulnerability.
Follow ForkLog news on Facebook!