It's not as bad of a flaw as the researcher made it out to be.
Taken directly from Reddit:
> This is not a critical flaw. The security researcher is doing an unfortunate publicity stunt.
> EDIT: we have decided to share more information, even though we wished we wouldn't have to (to not reveal anything useful to black hat attackers). The vulnerability reported by Saleem requires physical access to the device BEFORE setup of the seed, installing a custom version of the MCU firmware, installing a malware on the target’s computer and have him confirm a very specific transaction. While possible, this proof of concept ranks by no mean as a critical severity level and has never been demonstrated. Saleem got visibly upset when we didn't communicate as "critical security update" and decided to share his opinion on the subject. This generated a lot of panic with threads such as this one, and I do not believe it was to the benefit of anyone. A complete blogpost (which was already scheduled to be published according to our reponsible disclosure program) will be available in time.
In summary, they would need your device BEFORE u got a 24 word recovery, install their malware on it, still have the device in hand.... INCLUDING installing more malware onto the computer you use to access your wallet. Don't worry.... Everyone's safe. Just update it and move on.edit: I upvoted this comment for visibility
Good find!
Thanks. You prolly posted it right when the researcher got mad from the official statement from ledger. I really didnt think it was news worthy to make a post to correct it. Anyways, I'll be following you from now on :)
That is the problem with security people feel they need to use sensationalism to force users to update thus diminishing the credibility when the issue really is serious and critical! But users should still do all their updates especially in the crypto space as your wallet can be cleaned out although the likelihood of this happening with a hardware wallet is very low it's still better to be up to date than not!
It's given to update a device, period. With hardware wallets, it's your money on the line. Not to mention, this update also does away with one of things i was critical about, lack of space. You can now install up to 14 apps on it. No longer will you need to remove one and install another.