Ledger Patches Nano X Supply Chain Vulnerability

Following a report from Kraken Security Labs, a cybersecurity division of Kraken, that showed that the Ledger hardware wallet was susceptible to a supply chain attack, the device manufacturer has announced that it has patched the issue with a new firmware update for the Ledger Nano X. The patch only targets Ledger Nano X and not the Ledger Nano S. The manufacturer has said that the secure element of the wallet has not been affected, meaning that the vulnerability does not compromise the security of the 24-word passphrase, private keys, and PIN code. The vulnerability is purely physical and has been fully addressed with the patch. The team also stresses that the likelihood of this attack is very low. Ledger thanked Kraken for discovering the vulnerability, which they say Ledger’s security lab, the Ledger Donjon, had already discovered separately.

What Did Kraken Discover?

On July 8, Kraken Security Labs identified two supply chain attacks that were possible against the Ledger Nano X wallets. As the name implies, supply chain attacks involve tampering with the device before it is delivered to the user. This can occur anywhere along the supply chain, perhaps perpetrated by a malicious reseller or by being intercepted. The device is compromised and targeted by the attackers. Kraken reported that the firmware of the ‘non-secure processor’ is modified to use a debugging protocol as an input device, which can then send malicious keystrokes to the user’s host computer. The report reads:

The Ledger Nano X ships with the debugging functionality enabled on its non-secure processor, a feature that is disabled as soon as the first ‘app’, such as the Bitcoin app, is installed on the device. However, prior to any apps being installed, the device can be reflashed with malicious firmware that can compromise the host computer, similar to “BadUSB” and “Rubber Ducky” attacks.

In a nutshell, the attack uses the wallet as a keyboard and can also be used to execute malware attacks on the victim’s computer.

Hardware Wallets Still the Safest, But Updates Always Necessary

Ledger is one of the most popular hardware wallets on the market and acts as an offline storage solution used by investors to safely store large amounts of their digital asset investments. While much safer than the web, desktop, and mobile wallets, periodically, security teams release reports that prove that the protection is not airtight. To their credit, manufacturers like Ledger and Trezor have historically patched issues soon after being discovered. A recent report published by HTF MI has shown that the purchase of hardware wallets has slowed down as a result of the COVID-19 pandemic. However, safe storage solutions continue to be a strong area of research and development as more investors enter the market.