Saleem Rashid, a young 15 year old programmer has found a vulnerability in the Wallet Ledger Nano S. This is not an isolated incident since, as he says in his Twitter account, he has also contributed to Trezor’s OpenSource firmware and has worked as a contractor for NEM, giving support to implement NEM in Trezor.
Ledger Nano is a cold wallet and, according to its creators, secrets are never exposed such as the private keys in which transactions are isolated within the hardware wallet and are blocked by a PIN code. Transactions can not be manipulated and they are physically verified on the screen at the touch of a button.
As far as online security is concerned, cold wallets are one of the best options that cryptocurrency holders have to keep their investments safe – but when the possibility arises that someone could physically manipulate this wallet it seems that it is not so secure.
Saleem Rashid discovered the way to get the pin code that blocks the wallet to be modified, obtaining total access to the cryptocurrencies stored inside.
As explained by this young programmer on his blog, this security flaw causes an attacker to be able to take advantage of it before the end user receives it, stealing the keys physically or even remotely.
The way in which he managed to discover this security flaw is called “attack on the supply chain” and explains it step by step on his blog, in which we can also see a video where he teaches his discovery.
“I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report.”
“I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”
Before the publication of this security breach, Saleem contacted the CEO of Ledger but he denied that the errors found were critical and described the vulnerability as implausible.
After this response, he made an attack demonstration to the supply chain with a modified MCU firmware and sent the source code for its analysis.
It has been 4 months since Saleems’ security warning until Ledger updated the firmware of its Ledger nano S and Ledger Blue to correct this vulnerability.
Something similar happened with the cold wallet TREZOR One, to which Saleem Rashid discovered a security breach, but this time the problem was solved with a fluid conversation between the young programmer and the TREZOR team. Additionally, Marek Polatinus (CEO of SatoshiLabs) praised Saleem Rashid, thanking him for his work and great creativity, saying that it has helped them to make better and safer products.