For many years now, Ledger has boasted that their specialized hardware for storing cryptocurrencies is extremely securely designed. In fact, they say that resellers or others in the supply chain can’t tamper with the devices without it being obvious to consumers. The reason is what is known as “cryptographic attestation”. It uses unforgeable digital signatures to ensure that only authorized codes runs on the hardware wallet. In 2015, officials said, “there is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key”. But earlier this year Ledger’s CTO said attestation was so foolproof that it was safe to buy these devices on eBay.
But, on Tuesday, a 15-year-old from the UK proved that these claims aren’t correct. In fact, they’re downright incorrect. In a post published on his personal blog, Saleem Rashid, was able to demonstrate proof-of-concept code that allowed him to backdoor the Ledger Nano S. The Nano S is a $100 hardware wallet that the company has been able to sell to millions of people. The stealth backdoor Rashid developed is a minuscule 300-bytes long and causes the device to generate pre-determined wallet addresses and recovery passwords known to the attacker. The attacker could then enter those passwords into a new Ledger hardware wallet to recover the private keys the old backdoored device stores for those addresses.
Hackers could take this same approach, and come up with some pretty bad things, including changing wallet destinations and even amounts for payments. What does that mean, well, if you were trying to pay for something that cost $25, with this hack, the payment could be changed to $2,500 and be sent to the wallet belonging to the backdoor developer. This same undetectable backdoor also works on the more expensive, $200 Ledger Blue, which is billed as a higher end device. Variations on the exploit might also allow so-called “evil maid attacks,” in which people with brief access to the device could compromise it while they clean a user’s hotel room.
Rashid said he has yet to verify that this month’s Nano S update fully neutralizes his proof-of-concept backdoor exploit as claimed by Ledger. But even if it does, he said he believes a key design weakness in Ledger hardware makes it likely his approach can be modified so that it will once again work. Specifically, the Ledger Blue and Nano S rely on the ST31H320 secure microcontroller from STMicroelectronics to provide the cryptographic attestation that the device is running authorized firmware. The secure microcontroller doesn’t support displays, USB connections, or high-throughput communications, so Ledger engineers added a second general-purpose microcontroller, the STM32F042K6, to serve as a proxy.
The difficulty of solving the problem is in stark contrast to the confidence Ledger marketers profess in guaranteeing the security of the devices. In addition to the tamper-proof assurances mentioned earlier, the company includes a leaflet with each device. It reads: “Did you notice? There is no anti-tampering sticker on this box. A cryptographic mechanism checks the integrity of your Ledger device’s internal software each time it is powered on. The Secure Element chip prevents any interception or physical replacement attempt. Ledger devices are engineered to be tamper-proof.”