Network Security, Vulnerability Management

15-year-old finds vulnerability in Ledger cryptowallets


A 15-year-old security researcher discovered a serious flaw in Ledger cryptocurrency wallets that would allow an attacker to siphon the device's private key and drain a user's cryptocurrency account(s).

The cryptocurrency hardware wallets are designed to physically safeguard public and private keys used to receive or spend the user's cryptocurrencies and are a at times so popular that consumer demand has often outpaced the company's ability to produce them.

Saleem Rashid developed an MCU fooling method in which an attacker with physical access to the cryptocurrency wallets could force the device to sidestep security checks by exploiting weaknesses in a non-secure microcontroller chip which shares information with a secure processor chip, according to March 20 Ledger blog post.

The attacker can then to upload their own malicious code in order to steal the sensitive data. The company has released a firmware update to address the issues along with an Oracle padding on SCP flaw and an Isolation exploit.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.