The manufacturer of popular hardware wallets for storing cryptocurrency Ledger responded to the presentation of the team wallet.fail, which announced the identification of several vectors of attacks on its devices.
“They were unable to remove the PIN or seed phrase from the stolen device. All critical assets in the security element are protected, the company writes.
Don't worry, your cryptocurrency assets are still safe. ”
In particular, the physical modification of the Ledger Nano S wallet followed by the installation of malware on the victim’s computer and the possibility of signing transactions after entering the PIN code are called “impractical”.
- “A goal-oriented hacker will definitely use more effective techniques, for example, install a camera in order to fix a PIN code at the moment of its input by the user.”
According to the company, obtaining physical access to the device and installing malware on the victim's computer is too complicated and requires the hacker to wait for the user to initiate the transaction , so it is unlikely that anyone will undertake its implementation. At the same time, they do not deny that this is possible.
Another scenario, where the researchers installed their own firmware on a microprocessor, really allows you to put the device into debug mode, said Ledger, adding that the capabilities of the alleged attacker are likely to be limited.
“They said they had identified a way to bypass the microprocessor check, but they didn’t show how the bug was used.”
Similarly, developers are commenting on how to extract a PIN from a Ledger Blue device using a “controlled machine learning” attack.
“This attack is definitely very interesting, it does not allow you to extract the PIN in real conditions, ” the company writes.
To solve the problem, we have already introduced a randomized keyboard, with which the PIN code is entered. Again, it is easier to set up the camera in order to fix the PIN when entered by the user. ”
Ledger also criticized the wallet.fail team for deciding to publicly demonstrate the vulnerabilities of their devices at the conference, rather than resorting to the bug trapping program provided for such cases.
"We believe that their conclusions do not indicate the presence of any vulnerabilities that can be used in practice," the company adds.
Share your opinion on this issue in the comments below.