At Ledger, we don’t simply trust things. We spend significant time and effort to assess the security of every piece of Ledger technology — along with our industry’s. During a recent security audit we uncovered several vulnerabilities in a vendor’s Hardware Security Module (HSM), and presented the findings at Black Hat USA 2019 in August.
Our security team — Ledger Donjon — uncovered 14 vulnerabilities in a HSM model and upon discovery worked closely with the vendor to resolve them. The exploitation of these vulnerabilities essentially allowed a remote hacker to gain arbitrary code execution in the HSM, eventually leading to the theft of secret keys. It is important to note that these vulnerabilities were responsibly disclosed around a year ago and have been fixed by the vendor. Obviously, Ledger products including Ledger Nano S, Ledger Nano X and Ledger Vault were not affected by the vulnerabilities.
Further, with the knowledge gained during our audit, we added several countermeasures hardening the HSM architectures. We created additional layers of security, drastically reduced the attack surface and developed specific countermeasures preventing exploitation of potential vulnerabilities we would have missed.
We decided to publish our findings (full details here) to raise awareness about the security of these devices, and also to lay the groundwork for other security researchers. Our intention is that this work will lead to additional research and improve the overall security of the industry.
Our work pointed out implementation flaws that have been quickly patched. Our findings do not question the HSM model, but rather strengthen it. As hackers become more sophisticated, there is no question that our industry must build stronger HSMs, which is exactly where our work will lead.
Designing security is serious, hard work. Those working in this field spend a lot of time and resources trying to create secure solutions. Our security team – the Ledger Donjon – challenges them and helps to enhance the security of the industry.
Chief Security Officer at Ledger