Hardware wallet Ledger Nano S had a break in – teenage security expert, Saleem Rashid, found an issue with the “tamper-free” wallet. The story began on Nov. 2017, when Rashid reported a flaw to Ledger CTO, Nicolas Bacca, which could allow attackers to steal funds from wallet users.
Rashid had observed that the microcontroller employed in the wallet was not secure. While it allowed the use of buttons and displays to input data, it was connected as a proxy to the Secure Element (SE). The latter contained private keys which meant that a hacker could trick the SE in different ways. Here’s how: retailers and resellers could change microcontroller’s firmware which, now compromised, could verify its ‘identity’ to the SE. He further explained that the attacker could control the user interface and use their malicious code to set randomness to zero and add a recovery seed of their own choice. Rashid chose the word ‘abandon’ to prove his point in an uploaded video. Now that the attacker had the mnemonic phrase, they could get the private keys easily.