Enhancing the Ledger Nano X’s Security

07/08/2020 | Blog posts, Security

Ledger Nano X Kraken

At Ledger, we continuously strive to enhance the security that our devices and software bring. Today, we’d like to showcase how the Ledger Nano X’s firmware update has enhanced its already robust security.

At Ledger, our priority is to keep your digital assets secure. As such, we’ve formed a team of world-class security experts known as the Ledger Donjon and created a bounty program.

Today, we’d like to discuss a potential minor vulnerability for the Ledger Nano X that Kraken responsibly disclosed to us. We want to reassure you that:

Ledger’s Security Model

Before discussing the minor vulnerability, it’s important to understand how our devices work. Similar to the Ledger Nano S, the Ledger Nano X uses a dual chip setup. This consists of 1 MCU chip (STM32WB55) and 1 Secure Element (ST33). The Secure Element chip is the part that contains your sensitive data, such as your 24-word recovery phrase, private keys and PIN code. We’ve chosen to use Secure Element chips for this, since they’re highly resistant to many physical attacks.

The MCU chip, on the other hand, does not handle any sensitive data. It merely functions as the link between your interface (computer / smartphone) and the Secure Element. It’s not trusted in our design either, meaning it doesn’t have access to any data that’s on the Secure Element. The MCU chip cannot interact with the secure inputs (button presses) nor change the data displayed on the secure display.  In short, the Ledger Nano X’s security relies on the Secure Element – not on the MCU chip.

Since the MCU chip is not used for the security of your critical data, we’ve left a specific setting open so advanced users in the community could verify the code that’s running on it. After installing any application onto your Ledger Nano X, this would become locked. This specific setting is the JTAG/SWD debugging option, which is enabled till you’d install an app on your Nano X. The minor vulnerability targets this debugging option, which is disabled by default in the new Ledger Nano X firmware update (v1.2.4-2). Indeed, this firmware update patches this vulnerability completely. 

Why it Concerns a Minor Vulnerability

As mentioned above, this vulnerability targets a specific setting on the MCU chip. The Secure Element chip that keeps all your critical information is not affected by this. Since the Secure Element is not affected, this vulnerability cannot be used to extract your 24-word recovery phrase, private keys or PIN code. Your funds remain completely safe. This is due to the MCU chip not being trusted in our design, hence not having any access to this data. 

For another, this vulnerability is of a purely physical nature. This means that someone must first have access to your Ledger Nano X. Furthermore, they must have physical access to your Ledger Nano X before you install any application onto it. After that, they’d still need the technical know-how to make this vulnerability work, which can still not be used to extract key data like your private keys. Lastly, with the already released Nano X firmware update, this vulnerability is completely patched.

Let’s take a closer, more technical look into this. 

If My Crypto Can’t be Stolen, What Can It Do?

As discussed, this vulnerability targets the STM32 MCU chip via the JTAG/SWD debug protocol being enabled when you receive your Ledger Nano X. It’d become disabled as soon as you install any application onto it. We left this debugging option open after careful evaluation of potential risks. This allowed advanced users to check the code that’s actually running on the MCU. We were able to leave it enabled since the security of the Ledger Nano X relies on the ST33 Secure Element chip, not the STM32 MCU chip. 

However, this debugging being enabled beforehand can be abused by someone with physical access to your device. They could use this to adapt the firmware running on the MCU chip so that it would keep the debugging option enabled. To do this, physical access to the device is needed – it cannot be performed online. The risk was identified by the Ledger Donjon team prior to Kraken responsibly disclosing it as well, though we didn’t find a way in which it could be exploited that could lead to a loss of funds, even with a very small probability. The patch to this vulnerability is now available with the Ledger Nano X firmware version 1.2.4-2.

Even a malicious firmware on the MCU chip cannot access any data on the ST33, however, which means that your crypto is still secure. An attacker could, on the other hand, make your Nano X connect via USB as a keyboard and have it send malicious code to your PC. While still important, it doesn’t impact the security of the cryptocurrencies you manage through it. Your Ledger Nano X’s recovery phrase, private keys, applications and firmware are all stored in the Secure Element and are still not vulnerable – thus it can be considered a minor vulnerability. 

The new Ledger Nano X firmware update includes an MCU update where the JTAG/SWD debug protocol will be disabled by default instead. Even though this vulnerability cannot be used to gain access to your crypto assets, we decided it’d be best to remove this entry point – especially since we’ve not heard of anyone verifying the code running on the MCU chip. The disabling of the JTAG/SWD debugging protocol successfully patches this vulnerability completely. Newly produced Ledger Nano X’s will have this locked by default.

Tricking with a Screen Turning Off

An exploitation of this vulnerability will require a bit of trickery. The screen and buttons of the Ledger Nano X are directly connected to the Secure Element (ST33) chip. There is, however, a single connection between the MCU chip and the OLED screen as well.

The Kraken security team found that if the previously covered vulnerability is used, one could change a specific setting to shut down the screen via the MCU chip. If using a malicious MCU firmware version, it could trigger the screen shutting down during a specific time as well. Although the screen might be turned off, the Nano X can still process actions based on the buttons you press since this is managed by the Secure Element instead of the MCU chip.

Now on its own, this is more of a bug rather than a vulnerability. It could, however, make one susceptible to social engineering – in other words being tricked by a person with malicious intent. Since button presses are still accepted while the screen is turned off via this vulnerability, they could try to trick you into accepting a wrong transaction.

Similarly to the initial vulnerability, the new Ledger Nano X firmware update includes an update to the MCU firmware that completely patches this. Also if your screen at any point were to abruptly turn off, you can choose simply not interact with it – no transaction can be made without buttons being pressed. 

The Good News

The firmware update that is now available for the Ledger Nano X equally updates its MCU firmware. This causes the MCU chip to be locked, meaning no malicious code could be entered into it. To be more precise: the JTAG/SWD debugging protocol is now disabled from the get-go. This completely renders this minor vulnerability useless as it relies on it being enabled. This update effectively makes the MCU chip as secure as most standard hardware wallets – and we don’t even use it for storing your critical data. The Secure Element chip will now also check the authenticity of the code running on the MCU chip.

Also, even if you’d be using the previous firmware version (1.2.4-1), they’d still not have access to any critical data like your recovery phrase, private keys, PIN, apps and other sensitive data

Since there are a lot of parameters that must be met in order to pull this vulnerability off – after which it still relies on tricking someone through social engineering, it’s extremely unlikely that this kind of attack would be performed successfully. We’ve equally seen no one falling victim to this at the time of writing.

Lastly, we’d like to reiterate that the security of the Ledger Nano X does not rely on the MCU chip, which is concerned for this vulnerability. Instead, the Nano X bases its security on the Secure Element chip, which is not impacted. In the Ledger Nano X’s design, the MCU chip is not trusted, meaning it cannot access data that’s on the Secure Element chip. This is the reason why this vulnerability cannot be used to get critical information such as your recovery phrase.

We’d also like to take a moment to thank Kraken for their incredible work. The Ledger Donjon may already have found the root cause of the vulnerability discussed here (JTAG/SWD debugging) and been working on patching this, but Kraken deserves praise as well for finding this independently. We deeply appreciate the similar position they take as our own Ledger Donjon team: doing our part to enhance the security of the entire cryptocurrency industry.