Saleem Rashid, a 15-year-old programmer has discovered a flaw in the Ledger hardware wallet that allows hackers to get secret PINs before or after the device gets shipped according to a story on his blog. The vulnerability discovered allos for a "supply chain hack" where the device could be compromised before the device is ever used, as well as an "Evil Maid attack" that can get the data after the device has been used at least once after it has been attacked.
Scary stuff if a Ledger employee happened to know about the attack and could implement it before a unit was shipped.
Physical access before setup of the seed
Also known as a "supply chain attack", this is the focus of this article. It does not require malware on the target computer, nor does it require the user to confirm any transactions. Despite claims otherwise, I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.
Scary stuff if a Ledger employee happened to know about the attack and could implement it before a unit was shipped.
Physical access before setup of the seed
Also known as a "supply chain attack", this is the focus of this article. It does not require malware on the target computer, nor does it require the user to confirm any transactions. Despite claims otherwise, I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.