Ledger Crypto Wallet Hacked By 15-Year-Old

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
Saleem Rashid, a 15-year-old programmer has discovered a flaw in the Ledger hardware wallet that allows hackers to get secret PINs before or after the device gets shipped according to a story on his blog. The vulnerability discovered allos for a "supply chain hack" where the device could be compromised before the device is ever used, as well as an "Evil Maid attack" that can get the data after the device has been used at least once after it has been attacked.

Scary stuff if a Ledger employee happened to know about the attack and could implement it before a unit was shipped.

Physical access before setup of the seed
Also known as a "supply chain attack", this is the focus of this article. It does not require malware on the target computer, nor does it require the user to confirm any transactions. Despite claims otherwise, I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.
 
upload_2018-3-22_17-2-18.png
 
think this is the same kid that helped a jorno hack his ledger to reclaim his bit coins
 
^^Pretty sure that was a Trezor. That was the Wired article right?
 
Despite claims otherwise, I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.

I'm glad this guy took the high road and gave the company a chance to correct the problem few months ago. Now this is an ethical hacker mind-set especially considering such key. *Raises a glass of M-Dew to this guy*
 
Sucks that he didn't get a bounty because their bounty program doesn't promise they will release info about the fix. He was trying to be a proper white hat, and then they release info a day after he does. :/
 
It does look like he is using the older firmware in the video. No idea if it is fixed in the latest. So far Ledger hasn't said anything on reddit where they are pretty active.
 
If a person can make it a person can hack it.

Hello AES256


From Wikipedia:

"a 126-bit key (instead of 128-bits) would still take billions of years to brute force on current and foreseeable hardware. Also, the authors calculate the best attack using their technique on AES with a 128 bit key requires storing 288 bits of data (though this has later been improved to 256,[29] which is 9 petabytes). That works out to about 38 trillion terabytes of data, which is more than all the data stored on all the computers on the planet in 2016. As such this is a seriously impractical attack which has no practical implication on AES security.[30]"
 
Last edited:
Hello AES256


From Wikipedia:

"a 126-bit key (instead of 128-bits) would still take billions of years to brute force on current and foreseeable hardware. Also, the authors calculate the best attack using their technique on AES with a 128 bit key requires storing 288 bits of data (though this has later been improved to 256,[29] which is 9 petabytes). That works out to about 38 trillion terabytes of data, which is more than all the data stored on all the computers on the planet in 2016. As such this is a seriously impractical attack which has no practical implication on AES security.[30]"


350.png
 
Hello AES256


From Wikipedia:

"a 126-bit key (instead of 128-bits) would still take billions of years to brute force on current and foreseeable hardware. Also, the authors calculate the best attack using their technique on AES with a 128 bit key requires storing 288 bits of data (though this has later been improved to 256,[29] which is 9 petabytes). That works out to about 38 trillion terabytes of data, which is more than all the data stored on all the computers on the planet in 2016. As such this is a seriously impractical attack which has no practical implication on AES security.[30]"

You could also just beat the encryption key out of the person and steal all their money doesn't matter if your encryption is perfect it is called social hacking. Good luck doing that at a bank even if you had their pin code, card, id by beating it out of the person. Even if you socially hack the bank they will go after you unlike cryptocurrencies which have no fraud department, no legal requirements, barely any regulations.

A lot of systems that have been compromised have theoretically sound encryption the key thing is to bypass it or get the key via side channel attacks or vulnerabilities in the code that make the encryption worthless even if it is mathematically sound. So the statement of someone will always hack it is true. Your dumb to assume that because the math is sound the system in practice is sound. Ironically that applies to cryptocurrencies themselves as well sure the math might work out but in practice it is a scam filled system that wastes tons of power.

Also since I want to build a computer with a GPU in it I would rather cryptocurrencies get banned because it makes GPU prices absurd and is a huge environmental waste of resources.
 
You could also just beat the encryption key out of the person and steal all their money doesn't matter if your encryption is perfect it is called social hacking. Good luck doing that at a bank even if you had their pin code, card, id by beating it out of the person. Even if you socially hack the bank they will go after you unlike cryptocurrencies which have no fraud department, no legal requirements, barely any regulations.

A lot of systems that have been compromised have theoretically sound encryption the key thing is to bypass it or get the key via side channel attacks or vulnerabilities in the code that make the encryption worthless even if it is mathematically sound. So the statement of someone will always hack it is true. Your dumb to assume that because the math is sound the system in practice is sound. Ironically that applies to cryptocurrencies themselves as well sure the math might work out but in practice it is a scam filled system that wastes tons of power.

Also since I want to build a computer with a GPU in it I would rather cryptocurrencies get banned because it makes GPU prices absurd and is a huge environmental waste of resources.

I didn’t mention “a lot of” defeated encryption types”. I mentioned AES256, the most widely accepted — best symmetric encryption type.

AES encryption has been around since 1997, and won major acceptance as the best open method of encryption in 2001. That’s 20 years. The methodology for the encryption is completely transparent. Think “open source”. This isn’t defense by obscurity. It’s defense by super complex math, salts, and rounds. So far research into attack methods have made it as far as several rounds cracked, but AES256 has 14 rounds!

If AES256 gets close to being cracked, at some point in the future, they can just increase to AES512, AES1024, etc

This doesn’t have anything to do with the ledger (post topic) per se’ It was in response to the post that if man can create it, he can crack it.

——-
PS. If you are going to tell someone “your dumb”, you might consider using proper English. You forgot the contraction. “You’re dumb” is the correct way to insult someone.
 
Last edited:
Can we just ban 12 - 19 year olds ?? would save the world a lot of grief ....

I'll never forget during my IT security class the day the professor, using an example of the dangers of physical access, pointed us to a youtube video of a 12 year old giving a tutorial on how to bypass the Windows 7 user login to gain full access.
 
Back
Top