A 15-year-old security researcher discovered a serious flaw in Ledger cryptocurrency wallets that would allow an attacker to siphon the device’s private key and drain a user’s cryptocurrency account(s).
The cryptocurrency hardware wallets are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies and are a at times so popular that consumer demand has often outpaced the company’s ability to produce them.
Saleem Rashid developed an MCU fooling method in which an attacker with physical access to the cryptocurrency wallets could force the device to sidestep security checks by exploiting weaknesses in a non-secure microcontroller chip which shares information with a secure processor chip, according to March 20 Ledger blog post.
The attacker can then to upload their own malicious code in order to steal the sensitive data. The company has released a firmware update to address the issues along with an Oracle padding on SCP flaw and an Isolation exploit.