Kraken Security Labs found some vulnerabilities in the hardware wallet Ledger Nano X. The wallet is regarded by many as one of the most secure storage devices.
Attackers Can Tamper Wallet Devices to Steal Crypto Funds
On Wednesday, Kraken Security Labs – the exchange’s team that checks the security of crypto products – announced that it had detected two new potential attacks that could be executed against Ledger Nano X. If conducted successfully, Kraken claims that the attacks might put the wallet’s security at risk.
The attacks might permit malicious actors to get control over the victims’ computers connected to the wallets and install malware capable of stealing crypto funds.
Kraken Security Labs explained all the technical details of the two attacks, dubbed Bad Ledger and Blind Ledger.
In the first attack, the Ledger Nano X has to be tampered before reaching the victim. The firmware of the wallet’s process is modified with a debugging protocol that behaves like a keyboard. It can send malicious keystrokes to the victim’s computer. Kraken demonstrated a video that displays an infected Ledger Nano X that has control over the host computer by acting as a keyboard. It opens a browser and enters the exchange’s website by using keyboard shortcuts.
Kraken says that the device and the Ledger Live software application identify the wallet as genuine and don’t realize the tampering.
In the second potential attack referred to as Blind Ledger, the wallet’s tampered processor can turn off the display. Mixed with a thorough social engineering attack, the display is shutting off while malware on the computer convinces the victim to press several buttons that trigger malicious transactions.
Given that the display is disabled, the victim would not be able to check the transaction on the wallet.
Kraken recommends users to buy Ledger wallets from trusted stores only. Also, users have to be cautious if the display turns off.
Ledger Says the Stored Funds Cannot Be Accessed Despite Potential Vulnerability
CryptoPotato reached Ledger for comment. The company’s CTO, Charles Guillemet, explained:
“We are grateful to the Kraken team for bringing this vulnerability to our attention. While we have addressed this issue at length on Ledger, we want to assure our users that funds stored on their Ledger Nano X could never be accessed, since the Ledger Nano X’s security relies on the Secure Element – not on the MCU chip. The issue could allow an attacker who intercepted the device during the supply chain to install malware on the user’s PC, though the funds would still be safe.”
He added that it was extremely unlikely that this kind of attack might be performed successfully. So far, there has been no loss of funds caused by the vulnerability.