Still Got Your Crypto: In Response to's Presentation

12/28/2018 | Blog posts

At the 35th Computer Chaos Congress in Leipzig, Dmitry Nedospasov, Thomas Roth and Josh Datko gave a presentation called, where they tried to demonstrate that Hardware Wallets are vulnerable to several types of attacks.
Concerning Ledger, they presented 3 attack paths which could give the impression that critical vulnerabilities were uncovered on Ledger devices. This is not the case.
In particular they did not succeed to extract any seed nor PIN on a stolen device. Every sensitive assets stored on the Secure Element remain secure.
Don’t worry, your crypto assets are still secure on your Ledger device.

Security research

As security professionals, we are more than happy to see people trying to challenge the security of our products. This is the way to improve security. But, in the security world, the usual way to proceed is responsible disclosure. This is the model in which a vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users. In this spirit, we have a bug bounty program rewarding the security researchers for their findings. We regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program. We equally feel that the findings did not provide practical vulnerabilities, as we will discuss underneath.

What has been presented on Ledger Nano S

In short, they demonstrated that physically modifying the Ledger Nano S and installing a malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin app is launched. It would prove quite unpractical, and a motivated hacker would definitely use more efficient tricks (such as installing a camera to spy on the PIN entry).
In more details, here is what has been presented:

Hardware implants

This is a mix of software attacks, supply chain/evil maid attacks, and social engineering. In this scenario, the attacker gets the device of his victim, opens the box and adds a hardware implant. This piece of electronics is in charge of pushing the confirmation button (electronically) when triggered by radio frequency from the attacker.
Then, the scenario is the following: the attacker modifies the device as explained, puts a malware on the victim’s PC which will trigger a transaction and waits for the victim to enter his PIN and launch the Bitcoin app. At this very moment the malware on the PC triggers the transaction. The attacker, who is in a side room, will push the confirmation button with his remote control.
This scenario requires:

It is quite an unpractical scenario, whereas it might be easier for a motivated attacker to install a camera in the room to look for the PIN entry.
We have designed the Nano S to be easily openable, so you can check the integrity of the device yourself. More information can be found here.

MCU check

In this scenario, they tried to perform a supply chain attack by bypassing the MCU check, but they did not succeed. The MCU manages the screen but doesn’t have any access to the PIN nor the seed, which are stored on the Secure Element.

What has been presented on Ledger Blue

Side channel on the PIN of the Ledger Blue

During the demonstration, a proof of concept side channel attack on the Ledger Blue was presented. This attack is a bit unrealistic and not practical.

As the author indicates:

“You cannot do anything super malicious with it, but it’s nice to play around and see how this was done.”

They conducted a Supervised Machine Learning Attack on the PIN entry. When the user enters their PIN, they measure the radio emanation and try to guess which digit has been entered on the screen.
To do so, they first create a dictionary of the 10 different types of emanations for each digit. They performed this phase on a fixed setup where a robot simulates the PIN entry and measures the emanation for each digit.

When the user enters his PIN, they measure this emanation and compare it with the dictionary. To actually perform this attack, one has to:

This attack is definitely interesting, but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).
For such a scenario, we already implemented a randomized keyboard for the PIN on the Ledger Nano S, and the same improvement is scheduled in the next Ledger Blue Firmware update.
Once again, a better side channel would be to put a camera in the room and record the user entering his/her PIN.

Ledger values all attempts to compromise our hardware wallets. We strongly believe that our Bounty program is the way towards continuous security improvements.

We are, however, also convinced that responsible disclosure is the best practice to follow in order to protect the end users while improving our products’ security.

In case you have any doubts or concerns regarding the integrity of your Ledger devices, please contact our Support team.