Bitcoin

Kraken discovered possible attacks on Ledger purses, user funds were not affected

Kraken Security Labs, the cybersecurity department of the U.S.-based cryptocurrency exchange Kraken, has identified potential new attacks on the popular ledger physical wallet.

These attacks can affect Ledger Nano X wallets if they are executed before the user has received the wallet, if the wallet was intercepted during shipping, or if it was obtained from a malicious dealer, Kraken said. This theoretically allows attackers to control computers that are connected to ledger wallets and to run malware on them. Fortunately, all of this was only theoretical: the problem was solved.

If the bug hadn’t been fixed, we would hear of “malicious ledger attacks” and “blind ledger attacks”. The first of them infects a Ledger Nano X wallet by changing the debugging protocol to act like a keyboard as an input device. With keyboard shortcuts you can open a browser and navigate to the octopus operator. The second type of attack approves malicious transactions while the device screen is off. This exploit can manipulate the wallet screen and persuade users to press a series of buttons to approve a malicious transaction.

Kraken discovered possible attacks on Ledger purses, user funds were not affected
Kraken discovered possible attacks on Ledger purses, user funds were not affected

In response to this discovery, Ledger issued a security bulletin. Confirmation that this vulnerability could lead to attack scenarios in the supply chain. The company also said that the latest firmware update would protect wallet holders from such attacks.

“The debugging functions are permanently deactivated as soon as an application is installed […] These attacks cannot be performed once an application has been installed on the device. “

The Nano X is the latest cryptocurrency wallet from the largest manufacturer of physical wallets, Ledger. It was launched in 2019 and is the only rechargeable Ledger wallet that works wirelessly via Bluetooth. On July 6, Cointelegraph reported on Ledger’s CTO, Charles Guillemet, and denied Ledger’s alleged double expense vulnerability.

Similar Posts