Security Issue found with all hardware crypto wallets

in #bitcoin7 years ago (edited)

LedgerHQ Twitter account just reported a security concern with their Ledger products that also affects all other hardware wallets at this time.

While the wallet isn't vulnerable, the received address is generated with Javascript running on the host machine. Malware running on your host machine can manipulate the address displayed by using a hacker's address instead.

Concerns about the attack

(Pulled from vulnerability doc)

  • All the ledger wallet software is located in the AppData folder, meaning that even an
    unprivileged malware can modify them (no need to gain administrative rights).

  • The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files,
    meaning they can be modified by anyone.

  • All the malware needs to do is replace one line of code in the ledger software, this can be
    achieved with less than 10 lines of python code.

  • New ledger users would typically send all their funds to the wallet once initialized.
    If the machine was pre-infected, this first transaction may be compromised causing the user to
    lose all of his funds.

  • The attack changes the receive address during its generation, causing even the automatically
    generated QR to be updated to the attacker’s address. Meaning that both the string and QR
    representations of the address are compromised.


The only solution is to force the hardware device to confirm the address on the display screen to verify they match. On the Ledger this can be done with the Monitor Button.

On the Trezor, there is a button to show on the display screen.


Source

More information about the vulnerability can be found here. This is not limited to Ledger or Trezor, any device that runs a client on the host machine can be at risk.

themarkymark.png

My recent popular posts

Sort:  

There are always some holes in the security no one has discovered yet...

1158910.jpg

This was both mean and funny, I feel bad for enjoying it :))

Those are what you call the known unknowns. One must really worry about the unknown unknowns.
2FAAC742-2E80-4AA0-BB3F-BAB5C1CC5869.gif

wow. Thanx for sharing.

I assume if you use the address you generated a while back and use it every time you transfer funds to the hardware wallet then all this problem will be mitigated?

Yes, but having a unique receive address each transfer is very nice.

thank's for share friend/upvoted

This post has received gratitude of 3.82 % from @appreciator thanks to: @themarkymark.

Hopefully the dons of thecrypto market can do something about this

if these hackers worked for something positive.... the world would be much better.

Thanks for the post... I'll always check the address.

they work for a positive cash flow what's wrong with that... ;-)

I hope they do not want to work for a positive cash flow with my ledger... =)

this great post
Good morning friend your precious post has impressed me,

EXCELLENT

Just another item to add on the list of stuff to verify.
Annoying, however in the ongoing struggle to things secure this is not a big surprise.
Spoofing addresses is indeed an issue to pay attention to.
Thanks for the update