限时一周,最高可获得 90 美元比特币。

比特币奖励加倍

Do you want to change language to 英语?

博客文章, 产品 | 2018/04/17

Announcing the availability of Ledger Nano S Firmware 1.4.2

We are continuously working to improve the security of Ledger devices. As our business grows, we will accelerate our work identifying opportunities to improve the security of our services and products.

This will involve a shift from substantial updates, months apart, to a more regular flow of software updates. Today we are making available Ledger Nano S firmware 1.4.2, following a recent update to 1.4.1.

The latest release includes a series of minor but meaningful updates. As such, this update is recommended for all Ledger Nano S users, and is compatible with all previous firmware versions.

Please follow the step-by-step tutorial to update your Ledger Nano S.

Key changes include:

  1. Improving user pin security

Ledger Nano S devices enable our customers to use a PIN code to verify their identity as they start the device. Previously, a customer had to enter their pin, which as a default began at number 5. This created a theoretical vulnerability – if using a Ledger Nano S in a public place, an attacker could theoretically count the number of buttons pushed by the customer as they entered each digit of their pin code. In this release the default digit shown as the device starts is randomised.

  1. Improving recovery phrase security

The second security improvement is similar to the one previously explained, but concerns the entry of letters instead of numbers. Just as Ledger Nano S PIN code entry used to begin with the number 5 as a default, a customer entering their 24 word recovery seed always begins with a default letter – which is currently A. Again, this introduces a theoretical vulnerability, in that a potential attacker could watch or listen to a Ledger Nano S customer entering their seed, count their button clicks, and work out their recovery seed phrases. We think the risk from such an attack is minimal, but have implemented a simple change. In today’s update, the starting letter when a customer enters their recovery seed words is randomised.

  1. Getting rid of confusing error messages

Many of our customers got in touch in recent weeks to report that their Ledger Nano S device displayed an error message when updating to firmware 1.4.1. These messages read ‘MCU firmware is not genuine’, and while this was a part of the update process, this could generate concerns amongst our users. We have made a series of changes to the way our secure element interacts with our microcontroller (MCU) that effectively enable the secure element to securely authenticate the MCU and fix this issue.

To recap, the microcontroller controls the Ledger Nano S buttons, screen and USB connection, and the secure element stores the Ledger firmware, applications, and private keys. You can read more technical details on Ledger’s hardware architecture here.

 

  1. Improving application checks

In addition to the above updates, we have made a series of upgrades to the Ledger Nano S firmware to improve how the behaviour of installed applications is checked and verified.

We will continue to release security updates and improvements in the coming months. As ever, we are grateful to the community of Ledger customers and external security researchers for their questions, support and contributions. In particular we want to thank the first awardees of our Bounty Program, Timothée Isnard, Sergei Volokitin and Saleem Rashid, as well as an anonymous contributor, for their recent submissions.

Please note that if you’ve already updated your Ledger Nano S to firmware 1.4.1, the update from 1.4.1 to 1.4.2 should be much easier & quicker than from 1.3.

For more information:

联系我们

可以在我们的博客查看公告。 媒体联系:
media@ledger.com

订阅我们的简报

在收件箱中直接查看支持的新币种、博客更新以及专属优惠


您的电子邮件地址将仅用于向您发送我们的简报,以及更新和优惠信息。您可通过简报中的链接随时取消订阅。 详细了解我们如何管理您的数据和您的权利。