Portfolio vulnerabilities discovered recently non-critical

[ad_1]

Ledger said the newly discovered vulnerabilities in his hardware portfolios are not critical in a post on the official average blog on December 28th.

Yesterday at the 35C3 Refreshing Memories conference in Berlin, the researchers claimed to be able to hack the cryptocurrency portfolios Trezor One, Ledger Nano S and Ledger Blue.

In the post, the company explains that there seemed to be "three paths of attack that could give the impression that critical vulnerabilities were discovered", but according to them "this is not the case".

The reason that Ledger claims that the vulnerability is not critical is that "they failed to extract any semen or PIN on a stolen device" and "sensitive resources stored on Secure Element remain secure".

According to the company, the vulnerability of Ledger Nano S "has shown that the physical modification of Ledger Nano S and the installation of malware on the victim's PC could allow a nearby attacker to sign a transaction after being entered. of the PIN and the launch of the Bitcoin (BTC) application. "

This, says Ledger, is "rather impractical, and a motivated hacker will certainly use more efficient tricks." While the researchers claimed that the vulnerability allowed them to "send malicious transactions to the ST31" [the secure chip] and also confirm it ourselves "the Ledger denies, stating:

"Their firmware is snapping on the MCU in Bootloader mode, which means you have to press the left button on the boot and Secure Element does not boot either."

Ledger also claims that the demonstration of the Ledger Blue attack is "a bit 'unrealistic and not practical", claiming that "the position of the receiver and the device attached must be exactly the same, even the location of the USB cable it is fundamental (how it acts as an antenna). "

The post stated that "if the conditions are not exactly the same, the machine learning classifier will not work properly". For this reason, Ledger concluded:

"This attack is definitely interesting, but it does not allow anyone to guess someone's PIN under real conditions (it requires that you never move your device)."

Furthermore, because of this vulnerability, Ledger has stated that the next Ledger Blue firmware update will be characterized by a randomized pin keyboard.

The company also said it "deplored that the researchers did not follow the standard security principles outlined in Ledger's Bounty program". According to Ledger, "in the security world, the usual way of proceeding is responsible disclosure, which is a model in which a vulnerability is disclosed only after a reasonable period of time that allows us to correct the vulnerability and mitigate risks to users."

In November, Ledger announced its expansion in New York to develop its institutional custody by offering Ledger Vault. In addition, the company has also recently signed an agreement with Crypto.com for the initiation of encryption to allow users to pay for their products with cryptocurrencies.

[ad_2]Source link