Hardware wallet manufacturer Ledger has published a firmware update to remedy several security flaws. The exploits were independently found by a trio of white hat security researchers, one of whom, Saleem Rashid, is a 15-year-old British boy. The attack vector he discovered is hardware based, and is not limited to Ledger devices, making it difficult to mitigate altogether via software alone.
Ledger at Loggerheads with Security Researcher Who Found Flaw
On March 20, Ledger released an update to its firmware, 1.4.1, accompanied by a blog post that promised “a deep dive into security fixes”. It began: “Following a transparent and responsible disclosure process, we are giving a full detailed assessment of the fixed attack vectors that the Firmware 1.4 patches, which were initially reported by three security researchers. As the publication of these technical details might elevate the threat level of non-patched devices, we strongly encourage our users to update their firmware”.
It is the exploit discovered by Saleem Rashid that’s gathered the most attention, both on account of his tender age, and his publication today of a detailed explainer on how he achieved the feat. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely,” Rashid explains. “I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.” He also told a security blog that “[Ledger] make it so easy to open the device that you can take your fingernail and open it up [to tamper with it]”…