Manufacturers of popular hardware wallets to store bitcoin and other cryptocurrency Ledger and best wallet issued an official statement in which it responded to the information that researchers wallet.fail presumably was able to identify several vectors of attacks to their devices.
So, the French company Ledger said that although the researchers identified three vector, creating the impression that the devices have a critical vulnerability, this is not true.
Yesterday, the https://t.co/qbY5avXAsw the team held a presentation on potential vulnerabilities of hardware wallets. While the attacks shown on Ledger devices were not of a practical nature, we would like to provide you with some more insight
Read more here: https://t.co/jqHnJVzeU9
— Ledger (@LedgerHQ) December 28, 2018
“They failed to extract the PIN, or seed-a phrase from stolen devices. All critical assets in the security element, protected. Reasons for concern: your cryptocurrency assets are still safe,” — said in the blog Ledger.
Recall that the team Wallet.fail argued exactly the reverse: in her statement, the researchers were able to extract the PIN code and the mnemonic core of RAM best wallet, remotely to sign the transaction and hack loader Ledger Nano S, and to intercept the PIN-code Blue Ledger.
However, the developers of the Ledger called “impractical” physical modification of Ledger wallet Nano’s and install malware on the victim’s computer and the possibility of signing transactions after you enter the PIN.
“A motivated hacker would definitely use more efficient techniques, for example setting the camera for fixing the PIN at the time of user input”, — say the representatives of the Ledger.
The manufacturer also insists that obtaining physical access to the device and install malware on the victim’s computer is a very complicated procedure, which in addition assumes that the hacker has to wait for the initiation of a transaction by the user. Not excluding that in theory this scenario is possible, implement it in life, the team Ledger sees.
The Researchers Wallet.fail also said that to install custom firmware on a microprocessor. According to Ledger, this scenario really allows to put the device in debug mode, however, the possibility the alleged attacker is likely limited.
“They said that he had figured out a way to bypass the microprocessor, not shown, was used as the bug” — says Ledger.
The French company also commented on the extraction of the PIN from the unit Ledger Blue the attack type of “controlled machine learning”.
“This attack is particularly interesting, and it does not allow to extract the PIN in real conditions. For this scenario, we had implemented a randomized keyboard, which is used to enter a PIN. Again, it will be easier to set the camera to record the PIN code at the time user input”, — said the developers.
Ledger also criticized the team Wallet.fail because she decided to show vulnerability publicly instead of turning to the bounty program for catching bugs.
“Responsible disclosure [vulnerability] is a best practice that should be followed to protect users and enhance the safety of our products”, — stated in the Ledger.
Best wallet: continue to use your devices
Meanwhile, the Prague-based manufacturer of wallets best wallet has acknowledged the vulnerability, but stressed that in order to do this, the attacker must have physical access to your victim.
Please keep in mind that this is a physical vuln. An attacker would need physical access to your device, specifically to the board—breaking the case.
If you have physical control over your best wallet, you can keep on using it, and this vulnerability is not a threat to you.
— Best Wallet (@Best Wallet) December 28, 2018
Concerned for the safety of users, like the company, is a function of “passphrase”, but the loss of this key phrase will lead to loss of funds.
We will remind, last summer the company Ledger said that only in 2017 sold more than one million multicurrency hardware cryptocell, earning a combined $29 million.
Source
