Ledger hardware wallets, once considered one of the safer methods to store cryptocurrency, have been reported to be vulnerable to “man in the middle” attacks.
A team of unknown security researchers exposed a vulnerability that allegedly involves all Ledger hardware wallets. The discovery of the issue is said to have affected over one million users and has made it evident that the devices are not a foolproof method of storing crypto.
The newfound threat allows cybercriminals to show fraudulent addresses to ledger users/ customers in order to drain the user’s wallet and transfer the contents into their own wallet.
The problem was addressed by Ledger on February 3rd when the company Tweeted a report containing details of the vulnerability. The report offers preventative steps to avoid falling victim to attack but does not offer a real fix or solution.
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) February 3, 2018
The security researchers behind the discovery reported that Ledger did not take the findings seriously, saying
We contacted the CEO and CTO of Ledger directly in order to privately disclose and fix the issue. We’ve received a single reply, asking to hand over the attack details. Since then, all our mail have been ignored for three weeks, finally receiving an answer that they won’t issue any fix/ change.
Instead, the company plans on raising public awareness so that users can protect themselves from these types of attacks.
How It’s Done
A Ledger wallet creates a brand new address every time a payment is to be received, however, a man-in-the-middle attack will transfer the cryptocurrency to a fraudulent address instead of the user’s wallet. The report released by Ledger states that the attack is carried out when a Ledger customer uses a computer infected with malware, allowing the cybercriminal to interfere with the addresses that the cryptocurrency is intended for.
Once the computer is compromised, the attacker can discreetly change the code used to generate the unique address and, consequently, deposit the balance in their own wallet.