15 year old pwns Ledger Nano wallet, update that firmware

in #security7 years ago (edited)

Matthew Green Twitter Ledger
image from @matthew_d_green

Time to update that Nano

A few weeks ago Ledger issued firmware 1.4.1 to the Nano crypto hardware wallet which fixed some security issues.

At the time, there was speculation how serious this issues were, and if your data at risk for theft. The conclusion at the time was that your data was safe but it was still potentially serious.

Today, Ledger have updated their blog with some more key information as well as a nod to 15 year old security researcher Saleem Rashid who has published a very good writeup of his findings on his blog: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

And if that is too much, crypto professor Matthew Green has written a nice Twitter thread summarizing the implications of this vulnerability for Ledger and a whole class of these kind of secure devices. https://threadreaderapp.com/thread/976066416267939840.html

The most important conclusion is that you should update your Nano firmware to 1.4.1 ASAP if you have not done so already.

Sort:  

Good to hear this. Updates are always something to keep an eye on.

Scary...thanks for the heads up

indeed, hopefully 1.4.1 is safe for the moment
one big take away is don't buy second hand Nano devices

Best alternative is Trezor!

Perhaps, though Trezor has it's own security issues and doesn't use a secure chip
https://medium.com/@Zero404Cool/trezor-security-glitches-reveal-your-private-keys-761eeab03ff8

Damn! We are fucking exposed.

Just saw Brian Krebs weighed in on this as well and points out Rashid is 15 years old. Impressive !
https://krebsonsecurity.com/2018/03/15-year-old-finds-flaw-in-ledger-crypto-wallet/