Hardware wallet manufacturer Ledger has published a firmware update to remedy several security flaws. The exploits were independently found by a trio of white hat security researchers, one of whom, Saleem Rashid, is a 15-year-old British boy. The attack vector he discovered is hardware based, and is not limited to Ledger devices, making it difficult to mitigate altogether via software alone.
Also read: Ledger Addresses Man in the Middle Attack That Threatens Millions of Hardware Wallets
Ledger at Loggerheads with Security Researcher Who Found Flaw
On March 20, Ledger released an update to its firmware, 1.4.1, accompanied by a blog post that promised “a deep dive into security fixes”. It began: “Following a transparent and responsible disclosure process, we are giving a full detailed assessment of the fixed attack vectors that the Firmware 1.4 patches, which were initially reported by three security researchers. As the publication of these technical details might elevate the threat level of non-patched devices, we strongly encourage our users to update their firmware”.
It is the exploit discovered by Saleem Rashid that’s gathered the most attention, both on account of his tender age, and his publication today of a detailed explainer on how he achieved the feat. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely,” Rashid explains. “I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.” He also told a security blog that “[Ledger] make it so easy to open the device that you can take your fingernail and open it up [to tamper with it]”.
White Hat Hacker Forgoes His Bounty
Ledger says the security researchers were asked to sign a Bounty Program Reward Agreement as one of the conditions of being remunerated for their efforts, while noting that this doesn’t prevent the researchers from publishing their own reports. The article is worded in such a way as to suggest all three researchers were happy to comply with this agreement, but that’s not entirely true. Rashid actually forwent his bounty reward, explaining:
I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report. I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.
The teen researcher is of the opinion that Ledger were seeking to downplay the seriousness of the exploit he’d uncovered. Publishing a full and frank report of how he broke the Ledger wallet, and giving up his right to a reward, hasn’t done