We all know very well that the cryptocurrencies can be stored in a wide variety of sites. We can have them in the exchange portals (option not recommended), in a wallet in our computer (recommended but with backup), and we can also store them offline in devices similar to USB memories. However, now according to the latest reports, a 15-year-old boy managed to hack an ‘unhackable’ cryptocurrency wallet
This 15-Year-Old Boy Hacks ‘Unhackable’ Cryptocurrency Wallet
The cryptocurrencies can be stored in a wide variety of sites. We can have them in the exchange portals (option not recommended), in a wallet in our computer (recommended but with backup), and we can also store them offline in devices similar to USB memories. A company that claimed that they have crypto wallets (offline USB device) that were not hackable has just seen how a 15-year-old child has left them in evidence.
Ledger, specialized in cryptocurrency wallets, has been hacked
The company is called Ledger, and it’s French. They have always presumed that their hardware for storing cryptocurrencies is so secure that no one can corrupt them without their owners noticing. For this, they use a technique called Anonymous Attestation, or anonymous declaration, which creates unforgeable signatures so that only approved code is executed. In 2015, the company said it was impossible for an attacker to replace the firmware and pass it through the declaration process without knowing the private key of Ledger.
However, a 15-year-old from the United Kingdom has shown that this is not the case. The boy, named Saleem Rashid, has explained how a backdoor found in the Ledger Nano S works, which is worth $100 and which the company claims to have already sold millions. It also works with the Ledger Blue, despite being the high end and cost $200.
The back door has only 300 bytes and causes the device to generate default wallet addresses and passwords known to the attacker. Thus, the attacker can enter the password in the wallet to retrieve the keys that the old device stores for those addresses. By doing that, if we try to send money to another person, an attacker can change the address and put his/her own, as well as change the amount. The exploit allows all this to be done while also having physical access to the device.
It is very difficult to get it fixed by software
The company released a patch two weeks ago for the Nano S, and they claim that the vulnerability was not critical and that the attack did not allow the extraction of the private keys, to which Rashid responded that the latter was a lie.
Rashid has not yet tested whether the method works on already patched devices. However, he says that a key part of Ledger’s hardware design makes it very likely that with a simple modification it can be made to work again. The system takes advantage of a vulnerability that exists in the way in which the microcontrollers communicate inside it.
A John Hopkins University professor named Matt Green has reviewed Rashid’s post and believes it is very difficult for the patch released this month to have solved the vulnerability. The security chip cannot know the code that is running in the processor, so you have to ask the processor itself and “trust” that it is legitimate.
So, what do you think about this? Simply share all your views and thoughts in the comment section below.