Kraken Discovers Potential Attacks Against Ledger Wallets, User Funds Unaffected

Published at: July 8, 2020

Kraken Security Labs, the cybersecurity division of US-based cryptocurrency exchange Kraken, has identified new potential attacks against popular hardware wallet Ledger.

These attacks can affect Ledger Nano X wallets if they execute prior to the user receiving the wallet, if a wallet was intercepted during shipment or obtained from a malicious reseller, Kraken noted. This leaves the attackers theoretically capable of controlling computers connected to Ledger wallets and running malware on them. Thankfully it stayed theoretical — the issue was repaired.

Had the matter gone unaddressed, then we’d start hearing about “Bad Ledger attacks” and “Blind Ledger attacks.” The first of these would infect a Ledger Nano X wallet by modifying its debugging protocol to act as an input device, like a keyboard. Using keyboard shortcuts, it can open a browser and navigate to Kraken’s exchange. The second kind of attack approves malicious transactions while a device’s display is turned off. This exploit can manipulate the wallet’s display and convince users to press a series of buttons that approves a malicious transaction.

Ledger issued a security bulletin in response to the discovery, confirming that this vulnerability could lead to supply chain attack scenarios. The company also indicated that the latest firmware update would protect wallet holders from these attacks.

“Debugging capabilities are permanently switched off as soon as an application is installed [...] These attacks cannot be performed once an application has been installed on the device.”

The Nano X is the latest crypto wallet by major hardware wallet manufacturer Ledger. Released in 2019, it is the only rechargeable Ledger wallet that works wirelessly via Bluetooth. On July 6, Cointelegraph reported on Ledger CTO Charles Guillemet denying Ledger’s alleged double-spend vulnerability.

Tags
Related Posts
Ledger users threaten legal action after hacker dumps personal data
The hacker that breached hardware wallet provider Ledger’s marketing database earlier this year has released personal data for thousands of users, prompting many to threaten the firm with a class-action lawsuit. According to a tweet from network security firm Hudson Rock's Alon Gal, a hacker allegedly behind the breach of personal data from hardware wallet Ledger in June has made all the information they obtained available online. This reportedly includes 1,075,382 email addresses from users subscribed to the Ledger newsletter, and 272,853 hardware wallet orders with information including email addresses, physical addresses, and phone numbers. ALERT: Threat actor just dumped …
Technology / Dec. 20, 2020
Doxxed Ledger users in danger of physical harm
While users affected by the Ledger data dump are threatening legal action, some wallet owners might be at the risk of being visited by criminals. According to a Redditor named "u/relephants," some users have begun receiving threatening emails demanding a $500 payment or else risk being attacked in their homes. This development opens up another risk factor for Ledger users whose private information has been leaked by the hacker. Apart from home invasions, the affected Ledger owners also have to deal with phishing and SIM swapping exploits, among others. Actual robberies connected to Bitcoin (BTC) are not uncommon, especially when …
Technology / Dec. 21, 2020
Hardware crypto wallet sales increase as centralized exchanges scramble
Blockchain analysis firm Glassnode recently characterized the 2022 bear market as the worst on record. This seems to be the case due to events such as the war in Ukraine and rising inflation, coupled with serious problems among centralized crypto exchanges. Yet, the bear market hasn’t negatively impacted all players in the crypto ecosystem. Hardware wallet providers seem to be benefiting from the massive amount of crypto withdrawals from centralized exchanges. Pascal Gauthier, CEO of hardware wallet crypto firm Ledger, told Cointelegraph that the company’s revenue dropped about 90% during the 2018 crypto winter, but this hasn’t been the case …
Decentralization / July 6, 2022
Crypto Exchange Rokkex Incorporates Ledger Vault to Improve Security
French hardware wallet producer Ledger will provide its asset management system to Estonia-based crypto exchange Rokkex. Cybersecurity-focused exchange Built by Lithuanian cybersecurity and fintech professionals, Rokkex will integrate its trading platform with Ledger’s enterprise wallet management solution Ledger Vault to secure its crypto assets, according to a news release shared with Cointelegraph on Aug. 20. Lukas Krikstaponis, Rokkex’s co-founder and CEO, said that the platform has successfully tested Ledger’s technology on its platform to date. Demetrios Skalkotos, global head of Ledger Vault, explained: “Rokkex’s customers expect full transparency and protection from crypto hacks. [...] By leveraging Ledger Vault, Rokkex will …
Altcoin / Aug. 20, 2019
Ledger hardware wallets hit by the FTX earthquake, CTO says
Hardware-based cryptocurrency wallet provider Ledger has experienced some issues due to massive outflows from crypto exchanges amid the FTX bloodbath, according to its chief technology officer. Ledger saw a “massive usage” of their platforms and suffered a “few scalability challenges” on Nov. 9, Ledger CTO Charles Guillemet reported in a statement on Twitter. Guillemet reasoned Ledger’s issues by the outcomes of the ongoing crisis of a major global cryptocurrency exchange, FTX. The CTO said that crypto investors have been increasingly offloading their holdings from crypto exchanges to Ledger, stating: “ After the FTX earthquake, there's a massive outflow from exchanges …
Bitcoin / Nov. 10, 2022