French Cybersecurity Agency Grants Security Certificate to Ledger Nano S Hardware Wallet
The Ledger Nano S from French crypto hardware wallet firm Ledger has received a First Level Security Certificate (CPSN) from France’s national cybersecurity agency, ANSSI. The development was shared with Cointelegraph on March 18.
The National Cybersecurity Agency of France (ANSSI) reports to the Secretariat-General for National Defence and Security (SGDSN) in order to assist the French Prime Minister in matters of defence and national security. According to their list of certified products, 122 out of 261 products that ANSSI has started evaluating since June 1, 2018, have been certified.
Products aspiring to receive a CPSN certificate undergo a series of evaluations by an ANSSI lab, with testing for multiple attack scenarios that challenge the product’s security. Evaluations span “firewall, identification, authentication and access, secure communications, and embedded software.”
Claiming a crypto hardware wallet industry first, Ledger underscores the importance of receiving an independent third party certification to attest to the security of its offering, and says the CPSN for Ledger Nano S is the beginning of an overall effort to certify all of their products.
The blog post outlines that Ledger also operates its own in-house security evaluation “Attack Lab,” dubbed Ledger Donjon, which tests products’ resilience for a variety of threat scenarios.
The company has also reportedly developed a custom operating system, BOLOS (Blockchain Open Ledger Operating System), to couple software and hardware strategies that enhance security.
According to the blog post, the CPSN certificate covers a gamut of core embedded security functions, including a true random number generator, which is created via hardware and then post-processed through BOLOS, in compliance with security guidelines established in France’s Security General Referential.
Other CPSN-certified security functions include a root of trust — which ensures that a given Nano S is authentically issued by Ledger — end-user verification measures, such as mandatory PIN numbers for accessing services, and post-issuance capability, which occurs over a secure channel.
As Cointelegraph reported last December, researchers have claimed they were able to hack the Ledger Nano S, as well as crypto hardware wallet Trezor One, and Ledger’s most expensive hardware wallet offering, the Ledger Blue. The day after the report, Ledger argued that the reported vulnerabilities in its hardware wallets were not critical.
This February, Ledger apologized for — and pledged to remedy — issues with a recent firmware update for Nano S, which had inadvertently decreased the device’s storage capacity.