Update: Ledger CTO Charles Guillemet has issued a response to the report from Kraken, which you can view in its entirety below.
“We are grateful to the Kraken team for bringing this vulnerability to our attention. While we have addressed this issue at length on Ledger, we want to assure our users that funds stored on their Ledger Nano X could never be accessed, since the Ledger Nano X’s security relies on the Secure Element – not on the MCU chip. The issue could allow an attacker who intercepted the device during the supply chain to install malware on the user’s PC, though the funds would still be safe. While there are various measures that must be met in order to pull this minor vulnerability off, it’s extremely unlikely that this kind of attack would be performed successfully. Considering the issue has been fixed with the latest Nano X firmware update, there has been no loss of funds or no user falling victim to this vulnerability. We will always prioritize our customers’ security as we work to improve the ecosystem.”
Crypto exchange Kraken is warning users of a potential security risk linked to Ledger Nano X hardware wallets that affects products that have been tampered with during shipment or bought from malicious resellers.
The Nano X, which was released just last year, allows users to store their Bitcoin and crypto. It is Ledger’s only rechargeable wallet that can connect to the Ledger Live Mobile app via Bluetooth.
According to Kraken’s cybersecurity division, the supply chain attacks give malicious actors access to computers connected to the wallet and allow them to install malware.
“The firmware of the non-secure processor is modified using a debugging protocol to act as an input device, like a keyboard, that can then send malicious keystrokes to the user’s host computer…
Alternatively, the infected Nano X could have executed malware on the victim’s machine. Neither the Ledger Nano X device nor the Ledger Live software application display indication of tampering and identify the device as genuine.”
Although Kraken says this “might result in the loss or theft of funds stored”, Ledger says there is zero chance that funds can be accessed.
Ledger also tells users that the issue is physical and does not concern attacks that can be done remotely. It further assures that its popular hardware wallet, the Ledger Nano S, is not affected and that funds remain safe.
“Even if you’d be using the previous firmware version (1.2.4-1), they’d still not have access to any critical data like your recovery phrase, private keys, PIN, apps and other sensitive data.
Since there are a lot of parameters that must be met in order to pull this vulnerability off – after which it still relies on tricking someone through social engineering, it’s extremely unlikely that this kind of attack would be performed successfully.”
Featured Image: Shutterstock/BeeBright