A newly discovered security vulnerability on Ledger hardware wallets could eventually lead to the theft of user funds. At the time of writing, Ledger has not addressed or disclosed the security issue, leaving its millions of users at substantial risk.
According to a public disclosure report published today by Monokh, an attacker can exploit the vulnerability to transfer BTC from a Ledger wallet. At the same time, the owner is under the impression that they are transacting Bitcoin forks such as Litecoin, Bitcoin Cash, or Testnet Bitcoins.
Originally, Ledger wallet users need to install a corresponding app for each cryptocurrency/asset they want to hold, and these apps are designed to be isolated.
In other words, only an app can be unlocked at a time for a user to carry out various functions such as signing messages, exporting public keys, or confirming a transaction. All locked apps are supposed to be untouchable by external messages.
However, the newly discovered vulnerability means that the “Ledger device exposes Bitcoin (mainnet) public key and signing functionality outside of the “Bitcoin” app.”
For instance, when a user unlocks the Litecoin app, they “will receive a confirmation request for a Bitcoin transfer while the interface presents it as a transfer of Litecoins to a Litecoin address. Accepting the confirmation produces a fully valid signed Bitcoin (mainnet) transaction.”
By default, the Ledger device should prevent the execution of such a glaring error since the user didn’t intend to send bitcoins but Litecoins. The report notes that the same vulnerability applies when transacting any of the Bitcoin forks, and could easily be used by attackers to steal Bitcoins from Ledger wallet users.
Additionally, although Ledger had been alerted to the potential risks, the wallet manufacturer has not yet engineered a fix since reporting on May 4 that it is investigating the issue. In recent weeks, Ledger has also come under fire for a data breach that leaked personal information for thousands of users.
After reaching out to Ledger for comments regarding the latest vulnerability, the company published a security bulletin acknowledging the risks and naming more coins that could be affected. Essentially, Ledger will release a new version of its Bitcoin app with a fix and has recognized Monokh for reporting the issue.
UPDATE: We have updated this report to include Ledger’s long-awaited response to the security vulnerability, and a promise to release a new version of its Bitcoin app to fix the issue.