New: Introducing the world's first secure touchscreen hardware wallets

Shop Now

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

The Ledger Donjon: Meet Ledger’s White Hat Hackers

By Ledger
Oct 23, 2019 | Updated Jun 10, 2024
Read 4 min
Medium
Ledger devices on a podium
KEY TAKEAWAYS:
— The Ledger Donjon is Ledger’s team of white hat hackers.

— The Ledger Donjon spends its days analyzing every part of the ecosystem to identify and fix vulnerabilities.

— The Ledger Donjon is a vital part of Ledger’s security model, ensuring your device and any related software is as secure as possible.

Ledger offers the most popular hardware wallet for a reason: its security model and ease of use are unparalleled in the world of non-custodial wallets. To explain, for a device to be secure, it must have 3 key elements: a secure enclave, encryption in that enclave, and a secure screen. This is exactly how Ledger approaches its security model, offering a Secure Element chip, a custom operating system named BOLOS, and a Secure screen driven directly by the Secure Element. It’s these features that make Ledger devices so effective at protecting your digital assets.

 Knowing that you may wonder about these components and their implementation. How do you know they are secure? Even with the best security coding practices and secure hardware, withstanding attacks requires robust testing and efficient implementation of updates.

And that’s exactly where the Ledger Donjon comes in. Each of these expert staff members plays a crucial role in identifying vulnerabilities and working on improvements.

But what is the Ledger Donjon and how does it work exactly?

What is the Ledger Donjon?

The Ledger Donjon is the security research team at Ledger. They’re a team of world-class experts with extensive experience in relevant industries such as cryptography, software, and hardware security.

Its key functions are internal and external security assessment. Essentially, the Ledger Donjon works closely with Ledger’s firmware development and hardware teams to analyze and improve the security of Ledger’s devices and products. 

What is the Ledger Donjon’s mission?

The Ledger Donjon’s main mission is to improve the security of Ledger devices and products.  To do so it does four key things.

Firstly, it must guarantee the confidentiality of user seed (entropy) and private keys. This important information could give an attacker access to your assets, so the Donjon’s primary focus is keeping these secrets secret.

Next, it must ensure the use of digital assets is performed under user consent. Ledger devices also aim to prevent attackers from misleading you to gain your consent unwittingly too.

To follow, the Ledger Donjon must provide a mechanism to verify your device is genuine. This means you can trust the authenticity of your device and its firmware.

Finally, the Ledger Donjon is also responsible for protecting your privacy, putting measures in place to prevent the confidentiality of your identity and the IP of the Secure Element. This stops attackers from tying your crypto wallet to your identity, and potentially revealing more sensitive information about yourself than you wanted to.

But that is pretty conceptual, so let’s dive into the work the Donjon is responsible for.

What does the Ledger Donjon do?

The team members in the Ledger Donjon are essentially hackers: they attack Ledger products just like a hacker would find potential vulnerabilities. The idea is that the Ledger Donjon will always be one step ahead of the hackers.

If a vulnerability is found, the Donjon will immediately develop countermeasures and hardening techniques, which are then evaluated, implemented, and rolled out via firmware updates. Learn more about the process and meet some of the Ledger Donjon members in this introduction video.

Besides attacking vulnerabilities head-on, Ledger Donjon believes in open security; understanding that security must be challenged and continuously improved. In this context, Ledger’s Donjon open sources its attack tools and methodology. One great example is Cargo-checkct, Ledger’s purpose-built tool protecting against timing attacks. 

The next important job carried out by the Ledger Donjon is auditing third-party apps in Ledger Live to ensure they meet Ledger’s security requirements. This guarantees that apps you interact in within Ledger Live don’t affect the security of your device.

Finally, the Ledger Donjon drives Ledger’s bounty program which rewards security researchers for their findings on Ledger’s products. That way, even if the Ledger Donjon team isn’t the first to find a vulnerability, there’s an incentive to report any potential bugs.

What Kind of Attacks Does the Ledger Donjon Work On?

Software attacks

Software attacks are any attempt to expose, alter, disable, destroy, steal, gain unauthorized access to, or make unauthorized use of a digital asset. It covers a wide range of attacks and, in a nutshell, consists of researching unexpected behaviors on a system and playing with its software interfaces. These unexpected behaviors can lead to vulnerabilities. If attackers manage to force a program to run differently, they could gain access to the targeted assets.

A great example of a software vulnerability is a Heartbleed, a bug in a cryptography library that allows attackers to intercept secure communications and steal sensitive information. To force these kinds of behaviors, you must know about reverse engineering, fuzzing, static analysis, code review, cryptography, exploitation, and much more.

Side channel attacks

Side channel attacks are a wide range of attacks that exploit physical leakages of a device handling sensitive information. These attacks focus on measurable information obtained from the implementation of an algorithm, rather than weaknesses in the algorithm itself. For instance, an attacker with physical access to a security device could measure the power consumption or electromagnetic emanations of a device’s circuitry to extract information that could lead to manipulation.

Fault Attacks

Fault attacks consist of perturbing a circuit during its execution of functionalities. These are often performed through overheating, voltage glitching, overclocking, creating strong electric or magnetic fields, or more efficiently by using lasers. The device may begin to show faulty behavior, such as bypassing security tests or outputting incorrect results. This may allow an attacker to perform a Differential Fault Analysis to bypass a PIN check or create faulty signatures.

The Ledger Donjon: The Final Boss of Ledger’s Security Model

The Ledger Donjon is an integral part of Ledger’s security model, but not the only part. Ledger devices are so secure thanks to each pillar working together. The Ledger Donjon guarantees that your Ledger hardware wallet works as intended. Since Ledger uses a Secure Element chip certified by a third-party security lab, and the Ledger Donjon periodically releases updates for Ledger devices and services, you can rest assured your Ledger device’s firmware is always as secure as possible.

Head to the Ledger Donjon homepage here to learn more, and don’t miss the Donjon’s latest blog posts to catch up on the latest tools and updates released recently.


Ledger
Next up: What is Security Certification?

Related Resources

Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.

Learn more about how we manage your data and your rights.